diff --git a/cri-o.spec b/cri-o.spec
index d59ec8d..1b35782 100644
--- a/cri-o.spec
+++ b/cri-o.spec
@@ -48,7 +48,7 @@
 Epoch: 2
 Name: %{repo}
 Version: 1.18.4
-Release: 5%{?dist}
+Release: 6%{?dist}
 ExcludeArch: ppc64
 Summary: Kubernetes Container Runtime Interface for OCI-based containers
 License: ASL 2.0
@@ -103,7 +103,18 @@ sed -i 's/module_/module-/' internal/version/version.go
 sed -i 's/\/local//' contrib/systemd/%{service_name}.service
 sed -i 's/\/local//' contrib/systemd/%{service_name}-wipe.service
 
+
 %build
+export CGO_CFLAGS='-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64'
+%ifarch x86_64
+export CGO_CFLAGS="$CGO_CFLAGS -m64 -mtune=generic"
+%if 0%{?fedora} || 0%{?centos} >= 8
+export CGO_CFLAGS="$CGO_CFLAGS -fcf-protection"
+%endif
+%endif
+# These extra flags present in %%{optflags} have been skipped for now as they break the build
+#export CGO_CFLAGS="$CGO_CFLAGS -flto=auto -Wp,D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1"
+
 mkdir _output
 pushd _output
 mkdir -p src/%{provider}.%{provider_tld}/{%{project},opencontainers}
@@ -126,7 +137,11 @@ export LDFLAGS="-X %{import_path}/internal/pkg/criocli.DefaultsPath=%{criocli_pa
 %gobuild -o bin/%{service_name} %{import_path}/cmd/%{service_name}
 %gobuild -o bin/%{service_name}-status %{import_path}/cmd/%{service_name}-status
 
-GO_MD2MAN=go-md2man %{__make} bin/pinns docs
+GO_MD2MAN=go-md2man %{__make} docs
+# work around until https://github.com/cri-o/cri-o/pull/4442 is accepted
+# we need to drop -static for Stack Canary, Relro, and PIE
+sed -i 's/-static//g' pinns/Makefile
+CFLAGS="-std=c99 -Os -Wall -Werror -Wextra -fpie -pie -fstack-protector -D_FORTIFY_SOURCE=3 -Wl,-z,relro,-z,now" %{__make} bin/pinns
 
 %install
 sed -i 's/\/local//' contrib/systemd/%{service_name}.service
@@ -231,6 +246,9 @@ rm -f %{_unitdir}/%{repo}.service
 %{_datadir}/zsh/site-functions/_%{service_name}*
 
 %changelog
+* Mon Dec 21 2020 Peter Hunt <pehunt@redhat.com> - 2:1.18.4-6
+- Update PIE for cri-o and pinns
+
 * Thu Nov 19 2020 Peter Hunt <pehunt@redhat.com> - 2:1.18.4-5
 - fix timestamp for centos 7