Hardening all executables by making them position independent by default is basically ready with a few packages to fix (bugs). On the other hand bindnow is not enabled globally (#835146) and it seems it will not be for the next stable release despite my plan :-(.
If you are a maintainer you can still have your packages hardened in Stretch by enabling bindnow per package before 25 January, 2017. It could be a nice present for your users!
update: It is nice to see how enabling PIE in GCC increased PIE coverage while bindnow coverage is improving slowly with maintainers enabling it package by package:
update 2: Changed the deadline of enabling bindnow per package to align with the start of the full freeze, not the soft freeze.
And PIE actually passed bindnow just recently: https://outflux.net/debian/hardening/
I’ve just came across your name while reading about the dcmtk bug and checked your blog. I’m happy to see your efforts on hardening Debian (lack of was a reason I’ve switched to Gentoo Hardened ~15 years ago as Adamantix started to fade away).
I’d like to share an experience I’ve gathered while using Hardened Gentoo. RELRO + BIND_NOW has been propagated for some time now. There are some packages resisting BIND_NOW and still require lazy binding: namely xorg-server and some xf86-video-* drivers. For e.g.: if both xf86-video-ati and xorg-server has been compiled using BIND_NOW, loading Xorg will never finish – gets into some library loading loop or something. For this reason the gentoo build system switches back to lazy binding for xorg-server and xf86-video-*. There was a discussion on it. Although I have to check it again, whether this problem has gone away. It would be so good, if these last pieces could be also clarified from lazy binding. Regards: Dw.