I was preparing pacman 5 and I saw these changes, I think now is the right time to discuss this topic.
What is PIE and SSP? Here are some nice explanations:
SSP (Stack Smash Protector) prevents stack based buffer overflow bugs from being used to exploit programs in many cases.
PIE (Position Independent Executables)
I would also check if this config must be set:
Currently we use this flags:
-mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4
as specified here is no more required to add
ssp-buffer-size with gcc >= 4.9.
Arch has added also
-z now. If we follow the above hardening we should add this too. Here is an explanation of what
-z now is.
So, the final question is, shall we follow the same Arch implementation? by hardening our packages? @inkane was the right guy to ask this kind of things, but I would I would like to know your thoughts, @team.