After additional discussion with the server team and members of the security team, we do not believe that this qualifies as an SRU. It does not provide any significant benefit other than hardening, and does not qualify for SRU.
As such, I am setting "Won't Fix" in Precise through Utopic, but leaving Vivid alone for now. Here's some additional considerations for Vivid (and also earlier stable releases), brought up during that discussion: * Turning on PIE in stable releases will have a detrimental performance impact on 32-bit platforms (and will likely annoy people who are using nginx on 32-bit platforms for its performance. * While "PIE isn't turned on though expected for security-sensitive packages" would possibly be a valid reason to get a change into Vivid during the current freeze, the performance impact on 32-bit platforms would make this a possible blocking point. It is possible/likely that Vivid+1 will have this fixed there, as Debian has 'committed' a fix that may likely be available by that time (and merged in at some point in the Vivid+1 cycle). ** Changed in: nginx (Ubuntu Precise) Status: Triaged => Won't Fix ** Changed in: nginx (Ubuntu Trusty) Status: Triaged => Won't Fix ** Changed in: nginx (Ubuntu Utopic) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1315426 Title: nginx not built as position independent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1315426/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs