[Bug 1315426] Re: nginx not built as position independent

[Thomas Ward]

After additional discussion with the server team and members of the
security team, we do not believe that this qualifies as an SRU.  It does
not provide any significant benefit other than hardening, and does not
qualify for SRU.

As such, I am setting "Won't Fix" in Precise through Utopic, but leaving Vivid alone for now.  Here's some additional considerations for Vivid (and also earlier stable releases), brought up during that discussion:
* Turning on PIE in stable releases will have a detrimental performance impact on 32-bit platforms (and will likely annoy people who are using nginx on 32-bit platforms for its performance.
* While "PIE isn't turned on though expected for security-sensitive packages" would possibly be a valid reason to get a change into Vivid during the current freeze, the performance impact on 32-bit platforms would make this a possible blocking point.


It is possible/likely that Vivid+1 will have this fixed there, as Debian has 'committed' a fix that may likely be available by that time (and merged in at some point in the Vivid+1 cycle).

** Changed in: nginx (Ubuntu Precise)
       Status: Triaged => Won't Fix

** Changed in: nginx (Ubuntu Trusty)
       Status: Triaged => Won't Fix

** Changed in: nginx (Ubuntu Utopic)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1315426

Title:
  nginx not built as position independent

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1315426/+subscriptions