On Wed, Apr 3, 2013 at 2:05 PM, Steve Grubb <sgrubb@redhat.com> wrote:
On Wednesday, April 03, 2013 01:48:17 PM Miloslav Trmač wrote:
> On Tue, Apr 2, 2013 at 9:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Saturday, March 30, 2013 08:54:30 AM Dhiru Kholia wrote:
> > > "_hardened_build" rpm spec macro can be used to harden a package.
> > >
> > > For an example, see
> > > http://pkgs.fedoraproject.org/cgit/clamav.git/tree/clamav.spec
> >
> > This flag is overly aggressive. We have a list of programs that need PIE
> > enabled and doing more isn't necessarily constructive.
>
> Why exactly it "isn't necessarily constructive"?  If you have hard data,
> please share :)

Because PIE is only supposed to be on long running apps and setuid apps. If
its on everything, it will slow the system down too much and then you have the
knee jerk reaction to remove it from anything. We want it applied when needed
and otherwise not.

How much does it slow things down? I'm fairly certain you don't have any good data on this point. Dhiru is working out how to best figure out FWIW.

I'm willing to agree that PIE on x86 is going to be very slow due to register pressure. However, we should consider revisiting what we want built as PIE. Is Firefox a long running process? It is on my system. Revisiting our current list and trying to understand our needs is never a bad thing to do. Existing architectures are different now than they were when that list was created, no harm comes from talking about it.

-- 
    JB