From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-49581-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RqsVD-0007Gv-Qq
	for garchives@archives.gentoo.org; Fri, 27 Jan 2012 20:34:32 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4AACBE074B;
	Fri, 27 Jan 2012 20:34:23 +0000 (UTC)
Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 05660E06B3
	for <gentoo-dev@lists.gentoo.org>; Fri, 27 Jan 2012 20:33:35 +0000 (UTC)
Received: by bkbzt19 with SMTP id zt19so1913294bkb.40
        for <gentoo-dev@lists.gentoo.org>; Fri, 27 Jan 2012 12:33:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=tMQxpc2cY/vClDRaxXjOMAtgxKsm9qKDxfpmMru2+RM=;
        b=BM7EckuvmE97he/WJ29861LMvjb78bpHbViig9Hr8Hbm6GWQJJSVXz8TKwfU6NZgmb
         5nVVAiBFB4oFudcb1Puu8wm5TrWJ4lakNHJJYwT8y5+fY6HdaoQ8P4j13JNepRB+5EbW
         lPrFPt5IPvLxJvkZgFI3ADHhHEjIi2NDBHOM0=
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.204.136.220 with SMTP id s28mr3940322bkt.59.1327696415161;
 Fri, 27 Jan 2012 12:33:35 -0800 (PST)
Sender: freemanrich@gmail.com
Received: by 10.205.125.144 with HTTP; Fri, 27 Jan 2012 12:33:35 -0800 (PST)
In-Reply-To: <4F230577.7060602@gentoo.org>
References: <CAHmME9oDzehZRbOM90u4viQa+xQuHQGyZfcvtqY-8JEWfDSUdA@mail.gmail.com>
	<201201240058.50060.vapier@gentoo.org>
	<CAHmME9pyQ7nf+5m==0zvp1R4H7F5UcT-98A5B7C3Cr18Hv789A@mail.gmail.com>
	<CAHmME9r_6XpoH69xfrXh4Kxy1GESvaOs3PSF=_csfP585-2NDg@mail.gmail.com>
	<4F22FD6C.2020807@gentoo.org>
	<20120127194527.GT71369@gentoo.org>
	<4F230577.7060602@gentoo.org>
Date: Fri, 27 Jan 2012 15:33:35 -0500
X-Google-Sender-Auth: hJXMLjmcatgTWojJOFNY8ULwSgc
Message-ID: <CAGfcS_m=-mS7EKOAEEx8if0n46ZDVE6116qHk30j-eiAFPC3DA@mail.gmail.com>
Subject: Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor?
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: d2fcadf0-6b4b-4523-9596-da0f77346c02
X-Archives-Hash: a9a7d9be5ec8ee5db7853f7d85d42dc1

On Fri, Jan 27, 2012 at 3:13 PM, "Pawe=C5=82 Hajdan, Jr."
<phajdan.jr@gentoo.org> wrote:
> On 1/27/12 8:45 PM, Fabian Groffen wrote:
>> Just implement it in a way that people can opt-in/opt-out on it.
>
> We already have an opt-in (hardened profile), and of course it can be
> implemented in a way which allows opt-out (I even mentioned that).
>
> The main point is changing the default.

Well, probably wouldn't hurt to split this out of hardened into
something intermediate first.  You won't get much testing in hardened
on many packages.

I agree that changing the default is the long-term solution.  Default
off to start but have it available on mainstream profiles.  Encourage
people to use it.  Then make it the default but let people opt-out.
Then maybe in the long-term future de-support the opt-out if it seems
prudent.  However, the hardened experience will no doubt help us.

Rich