On the other hand, when building from source (and building distribution-specific) it doesn't have to default to static linking (and can include all the PIE you want :p). That's currently just an artifact of the inflexibility of "make". As mentioned, a configurable build system like autotools would address this by providing options such as --with-static.
Right, this was what I meant. Obviously the shipped binaries will need to be statically linked, alas. Thats still no reason to leave everyone else statically linked.
You don't need autotools for this: just add another target "make static-dist", or whatever.
For me, on Fedora, the static builds fail because the distribution doesn't ship with static versions of pretty much _anything_ because the overuse of static libraries has been a reoccurring security nightmare. So, really, for some people the failure to separate static and not static builds means that building simply doesn't work.
Oh, while we're talking about this— it was claimed upthread that bitcoin should already have -fstack-protector — I don't know about Ubuntu, but in fedora -fstack-protector is set via the default RPM cflags, and _not_ by modifying GCC. If the same is true on ubuntu, then bitcoind doesn't have it. Someone with ubuntu handy ought to compile the examples from that debian page and see if gcc in ubuntu is really providing the protection by default.
"PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86), ... PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required"
So it should probably be enabled by default for x86_64 but not x86_32.
This is only the case for tight loop register starved cpu bound code. Bitcoin is usually I/O bound. I've been running bitcoin in _valgrind_ (which run most things things at 1/10th to 1/20th speed) and hardly notice any difference except while syncing up the blockchain.
I'm seriously doubtful that PIE is going to make a noticeable performance difference. Also, the libraries on any system are all already fpic, and all the crypto stuff is already in libraries, Moreover, there is a pretty easy answer to someone who wants more performance: use x86_64, which is generally true (esp for C++ code) with or without PIE.