If you are from the Ubuntu team then you make them look good. I've only ever gotten like... maybe one person to respond to me, and it didn't really go anywhere. A nice long response, thank you very much. Stack Canaries: I was going to suggest strong as well. There should be little performance hit and I just can't see a downside there. Naturally anything that can happen further upstream will be ideal. I suppose I can try talking to them again. RELRO: I can't imagine that RELRO is a significant performance hit on startup time for applications - naturally more time will be spent in the linker, but I mean... milliseconds. I mean altogether on a system, for bootup, you might see a worst case scenario of an extra second? Pretty much every program is going to be waiting on X11 so that they can refresh and do their own thing once they get a response from it if they're graphic, and everything else is just going to pay the one time cost since they're daemons anyways. In every benchmark I've seen it's been really tiny, but I don' t think I've ever seen a formal full write-up. I may be willing to do a bit of benchmarking. PIE: Yes, it does indeed have to do with ASLR. With ASLR it's often something of an "all or nothing" game - if you have an incomplete randomization of a process address space, or even a weak but full implementation, an attacker can return reliably into some area. In the case of PIE, there's nothing new - instead of randomizing something like a library, you randomize the offset of the PE in memory. Same exact reasons, same exact thing, Linux just requires you to compile for it. Now, the stated reason from the Ubuntu security team (this is the one time they've responded, though no benchmarks were ever provided despite my asking) is that the performance impact of PIE is too significant (again, no benchmarks, just "too significant") even on 64bit. The Ubuntu security wiki has changed recently and I'd rather not try to navigate it, since it's all segmented and I can't just "Ctrl + F" anymore... but it had on there a statement that they were planning to move to PIE for 64bit and it had been on there for years. RedHat has published their own informal benchmarks: http://securityblog.redhat.com/2012/12/12/position-independent-executable-pie-performance/ "In the testing that I did the performance overhead in program startup ranged from 0.1985 milliseconds to 11 milliseconds. Which is minimal when compared with the benefits that PIE gives you against return oriented programming based attacks." If performance is a very large issue, consider simply enabling these for 64bit. As for compatibility with PIE, outside of X11 I haven't heard of problems, and that was solved a while ago. I don't really have a link for the benefits of PIE. But it's the same exact benefits of ASLR, it "completes" (~ish) the ASLR for that address space. ELSE: Has it really been since 2011? Crazy. I thought it had been sooner. I haven't had time to check the apparmor profile. I do have the issue, I just haven't tried fixing it other than simply removing the line and ignoring any denials. I'm writing my own apparmor tools anyways, mine are totally broken because my system log is full of weird junk that throws it off. Thanks for the reply