| 1 |
On 10/23/11 9:47 PM, Anthony G. Basile wrote: |
| 2 |
> So if you look in the hardened profiles, you'll see some things masked |
| 3 |
> like net-im/skype because of the kernel, and some things masked like |
| 4 |
> =sys-devel/gdb-7.0* because of the toolchain. If the hardened toolchain |
| 5 |
> moves into mainstream, then we'll have to sort through those and figure |
| 6 |
> out how to incorporate them into the main profiles. |
| 7 |
|
| 8 |
That's right. My goal now is to come up with a realistic plan how to do |
| 9 |
that. It seems most people agree it's a good goal, now we'd need to |
| 10 |
identify possible problems and find solutions. |
| 11 |
|
| 12 |
Thank you for helping identify problems. Please take a look to see if my |
| 13 |
suggestions make sense. |
| 14 |
|
| 15 |
> How would we say, |
| 16 |
> if you use gcc-config and choose gcc-4.5.1-hardened spec, mask |
| 17 |
> gdb-7.0*? I don't think its impossible, but I'm not seeing how to |
| 18 |
> proceed right now. |
| 19 |
|
| 20 |
First, I'd like the hardened spec to be non-default, so that if the user |
| 21 |
chooses the hardened spec he'd be "on his own", and expect possibly more |
| 22 |
breakages. |
| 23 |
|
| 24 |
Second, profiles/hardened/package.mask seems to contain only few |
| 25 |
entries, and a more recent gdb than 7.0 works and is in stable. I've |
| 26 |
checked on my hardened system. This doesn't seem to be a serious issue, |
| 27 |
maybe we can just punt gdb 7.0 or print a message that it's expected to |
| 28 |
be broken with hardened spec. |
| 29 |
|
| 30 |
Third - can we forcefully disable hardened features in packages that are |
| 31 |
not compatible? My assumption is yes, and we should probably print a |
| 32 |
warning then. |
| 33 |
|
| 34 |
Fourth - we can add the gcc spec to emerge --info. |
| 35 |
|
| 36 |
What do you think? |
Archives