Hi! On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: > For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where > PIE is enabled by default. I think enabling bindnow from dpkg would be > better through the hardening flags because packages could disable it > in a nicer and already established way.
Hmm, I don't get why bindnow was enabled by default in gcc, while relro (I'd assume) is not enabled by default, or is that enabled by default now too? IMO either relro + bindnow should be enabled in gcc, or neither should. I'm fine either way, but I find having a hardened compiler is actually good, because it gives also hardened output for non-packaged builds! Thanks, Guillem
