[ubuntu-hardened] Missing some hardening flags for a few apps.
seth.arnold at canonical.com
Fri Nov 30 18:41:56 UTC 2012
On Fri, Nov 30, 2012 at 12:00:13PM -0600, Jamie Strandboge wrote:
> As for PIE and BIND_NOW, these are disabled by default and opt-in for
> packages that want them. The reason PIE is like this is because it can
> introduce a performance penalty on some architectures like i386. I don't
> recall why BIND_NOW is off by default-- presumably for the same reason
> (maybe someone else on the list can comment). See our wiki for more
BIND_NOW also represents a potentially stiff performance penalty,
especially for the larger applications, as it forces all the libraries
for an application to be loaded before the application is responsive to
user input. This can be several hundred megabytes of disk IO, and if
the libraries are not also used immediately, represents a few hundred
megabytes of displaced buffers and cache that might be more profitably
In essence, it can add twice the size of the libraries to the disk IO
requirements -- half of it immediately, at application start, and the
other half as different programs and data is reloaded from disk.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: Digital signature
More information about the ubuntu-hardened