Bug#657853: Please enable hardened build flags
Russ Allbery
rra at debian.org
Tue Feb 7 02:55:17 UTC 2012
Moritz Mühlenhoff <jmm at inutil.org> writes:
> Right now -pie is not in the default set of hardening flags for
> Wheezy. It will likely be enabled after Wheezy at least for amd64 and
> other archs with sufficient registers, so setting hardening=-pie can't
> hurt.
It won't hurt, but I'm skeptical we'll be able to make PIE the default.
Not only does it break all add-on modules that don't use libtool but pass
linker flags directly to the build (affecting not only Perl but also
Python, PHP, etc.; I tested with remctl just to see what would happen, and
it pretty much broke all the interpretor build systems), but I've had it
just break otherwise normal code. gnubg, for example, will immediately
die with "Killed" if built with PIE. (I didn't investigate further, since
gnubg is not the sort of program that has much security exposure.)
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Perl-maintainers
mailing list