Enabled by default


Strategy: as soon as something works... enable it and get everyone
to use it!

Then: show upstream software projects the bugs we expose, and
help verify the repairs they make

Only had to downgrade the aggressiveness once or twice:

A few revisions of ASLR (too greedy with address space)
malloc guarding (world is not ready for this)

Currently these methods do not restrict us from running any
upstream software