D:SbD makes suggestions and recommendations to improve the security of Debian without being invasive to the end user. These changes may require maintainers to do extra work, or may give the user extra options (not administrative tasks) to tell Debian how it should do things. In order to make this happen as painlessly as possible, we need certain things to be done or created.
Many of the things that D:SbD covers involve recompiling applications. Often they can lead to broken programs as well. Thus, certain packages must be built without such protections, until the application is made to work with the security system being put in place.
As I write this, let me assure you that I have never built a package for Debian, and I don't know how maintainers control what optimization flags are used for those packages. I may be redundant in saying this; but the Debian maintainers need a way to mark out packages so that they know which not to build with the restrictions.
Systems such as PaX allow restrictions to be applied to executable binaries at any time. These systems would present the user with some sort of interface, likely debconf based, to apply or remove recommended settings. The reason for allowing this is because applying "compatibility" settings creates a situation of reduced security, whereas removing these settings causes breakage. It must be up to the user to choose.
If a user wishes to remove the PaX binary markings on a program, the paxctl and chpax programs can use the -z switch to zero the flag mask on the binary, reactivating all restrictions and of course causing breakage. Flags can later be reapplied of course.
Instead of using such a crude system, Debconf could be used to resolve PaX markings. Each program and library needing PaX markings would be noted in the database. The administrator could at any time have Debconf display a list of apps that need markings to function properly, and have it apply or remove those markings.
For such a system to function, it would need to mark actual executable binaries; marking libraries does not cause binary inheritance. Upon installation, ldd can be called by Debconf to check each binary and related libraries recursively for libraries known to require PaX markings. Binaries relying on those libraries would also need those markings. In this way, even unsupported applications can get proper markings if using a broken library.