>> > I don't get it then.  Does anyone know why I can't compile Firefox
>> > as described in the link above?  This sums it up:
>> >
>> > "firefox-9.0 ebuild stalls at the install phase while xpcshell
>> > command tops CPU usage for hours."
>> >
>> > Although xpcshell doesn't use any CPU for me.  It just sits there
>> > and the install phase doesn't proceed.
>> >
>> > - Grant
>>
>> I can compile Icecat with a customized ebuild. since it's basically
>> the same as Firefox, maybe that helps. Basically it disables jit.
>>
>
> You can't compile it on a grsec kernel because of this bug: :)
> https://bugs.gentoo.org/show_bug.cgi?id=396275
>
> It's odd that it hangs at xpcshell for you as it's already paxmarked in the
> ebuild...
>
> Anyway, I'd suggest:
>
> 1) keyword firefox so you can get the latest one, which currently is the
> 10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have
> been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will
> compile just fine on hardened.

9.0.1 and 10.0 have both failed to emerge on my system, but I haven't
tried 10.0.1.  I'll do that right away.

> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild for
> icecat/firefox will work for you, you just need this in src_configure() :
>
>        if use pax_kernel; then
>                        mozconfig_annotate '' --disable-methodjit
>                        mozconfig_annotate '' --disable-tracejit
>        fi
>
> 3) the other benefit of disabling jit completely is that you can now disable
> the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages
> :) Unless you want to use FF for flash or java that is... ;)

So I need to use paxctl -m if I want to use flash or java?

- Grant