On 05/16/2016 05:47 PM, Information Technology Works wrote:
I also don't understand the lack of discussion on something this important by other devs. one person had concerns about various things and another mentioned whether upstream would support it and that was it. I was hoping to at least hear why the wrapper method was so out of spec for arch as to warrant not supporting full aslr. I'm sure it seems obvious to those devs opposed, but not to me or possibly other end users. Also, i don't think i'm owed an explanation. I'm just saying more context for something this important would have been nice.
I think at the current state it will be waste of efforts to setup a user repository and build everything with hardening-wrapper. There has been several internal discussion about PIE in the past and recent times, that is definitively something that we are aware of. In the past there has been various (performance) reasons with gcc5 that hold up stepping further, so the decision was to not backport gcc6 patches and wait for gcc6 so arrive. Fortunately gcc6 arrived so the topic landed again on the tables for discussion. The current state is that we wanted to have some benchmarking with current (non-PIE) and PIE enabled binaries to compare them and make sure it eliminated all previous concerns. If you want to to really help pushing this topic in an official way then the most useful and best step you could do is helping out to do those benchmarks. cheers, Levente