Hardening Debian Stretch with PIE is ready but bindnow will be missing

pie-bindnow-notnow-debianHardening all executables by making them position independent by default is basically ready with a few packages to fix (bugs). On the other hand bindnow is not enabled globally (#835146) and it seems it will not be for the next stable release despite my plan :-(.

If you are a maintainer you can still have your packages hardened in Stretch by enabling bindnow per package before 25 January, 2017. It could be a nice present for your users!

update: It is nice to see how enabling PIE in GCC increased PIE coverage while bindnow coverage is improving slowly with maintainers enabling it package by package:


From https://lintian.debian.org/tags/hardening-no-pie.html


From: https://lintian.debian.org/tags/hardening-no-bindnow.html

update 2: Changed the deadline of enabling bindnow per package to align with the start of the full freeze, not the soft freeze.


2 thoughts on “Hardening Debian Stretch with PIE is ready but bindnow will be missing

  1. Dwokfur

    I’ve just came across your name while reading about the dcmtk bug and checked your blog. I’m happy to see your efforts on hardening Debian (lack of was a reason I’ve switched to Gentoo Hardened ~15 years ago as Adamantix started to fade away).
    I’d like to share an experience I’ve gathered while using Hardened Gentoo. RELRO + BIND_NOW has been propagated for some time now. There are some packages resisting BIND_NOW and still require lazy binding: namely xorg-server and some xf86-video-* drivers. For e.g.: if both xf86-video-ati and xorg-server has been compiled using BIND_NOW, loading Xorg will never finish – gets into some library loading loop or something. For this reason the gentoo build system switches back to lazy binding for xorg-server and xf86-video-*. There was a discussion on it. Although I have to check it again, whether this problem has gone away. It would be so good, if these last pieces could be also clarified from lazy binding. Regards: Dw.


Leave a Reply

Your email address will not be published. Required fields are marked *