Comment 4 for bug 1315426
Revision history for this message
| Thomas Ward (teward) wrote Re: nginx not built as position independent | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
After additional discussion with the server team and members of the security team, we do not believe that this qualifies as an SRU. It does not provide any significant benefit other than hardening, and does not qualify for SRU.
As such, I am setting "Won't Fix" in Precise through Utopic, but leaving Vivid alone for now. Here's some additional considerations for Vivid (and also earlier stable releases), brought up during that discussion:
* Turning on PIE in stable releases will have a detrimental performance impact on 32-bit platforms (and will likely annoy people who are using nginx on 32-bit platforms for its performance.
* While "PIE isn't turned on though expected for security-sensitive packages" would possibly be a valid reason to get a change into Vivid during the current freeze, the performance impact on 32-bit platforms would make this a possible blocking point.
It is possible/likely that Vivid+1 will have this fixed there, as Debian has 'committed' a fix that may likely be available by that time (and merged in at some point in the Vivid+1 cycle).