[pacman-dev] [PATCH] add support for PIE to makepkg
Allan McRae
allan at archlinux.org
Tue Jul 22 05:01:03 EDT 2014
On 22/07/14 07:41, Daniel Micay wrote:
> A `pie` option is added for wrapping C and C++ compilers and passing the
> correct options for building position independent executables. PIE is
> required for full address space layout optimization (ASLR) and there is
> little to no benefit from ASLR without it since global ELF tables
> (GOT/PLT) and application code are at known locations.
>
> A wrapper script is required in order to pass the correct flags for
> executables without changing the flags for libraries. It adds `-pie`
> when linking (no `-c` switch) if `-static` or `-shared` are not passed,
> and `-fPIE` whenever `-fPIC` is not already there. This technique comes
> from the Debian hardening wrappers.
>
> Position independent code is expensive on i686, so it's only enabled by
> default on x86_64 where the cost is negligible. It can be enabled on a
> package-by-package basis on i686. The same cost already exists for any
> code in a dynamic library.
Why should this be in makepkg? Just like Debian this should be a
distribution build system integration rather than in the package manager.
Allan
More information about the pacman-dev
mailing list