On 03/29/2013, Reindl Harald wrote: >> -fPIE code is larger and takes longer to execute. The cost varies from >> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686 > > i686 becomes more or less dead > > there could be made a difference in SPEC-files to in border > cases only harden the x86_64 binaries because in context > of servers i686 is already dead except legacy systems which > are not relevant for recent fedora versions The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines which run a 64-bit kernel. The same amount of physical RAM can support several percent more simultaneous 32-bit user-mode processes before paging. 64-bit .text, pointers, and longs are larger. Only a few applications need a 64-bit address space. It will be many years before i686 user mode dies. [snip] > * please do not argue with "but you need this and this AND this" > the expierience of the last years shows how creative attackers > are acting with RANDOM input data I'm arguing the total expected benefit (integral over time of estimated exposure times expected prevented loss) versus actual cost (more machines, RAM, heat, [avoided] latency). I'm not convinced that PIE+RELRO is worth it except for a process with elevated privilege or extended lifetime. Please cite some documented cases where PIE and/or RELRO prevented or delayed an actual loss, or signaled with sufficient warning to be useful. Meanwhile I'm spending more each month to consume more resources because of PIE+RELRO. -- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
