List Archive: gentoo-hardened
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
>> > I don't get it then. Does anyone know why I can't compile Firefox
>> > as described in the link above? This sums it up:
>> > "firefox-9.0 ebuild stalls at the install phase while xpcshell
>> > command tops CPU usage for hours."
>> > Although xpcshell doesn't use any CPU for me. It just sits there
>> > and the install phase doesn't proceed.
>> > - Grant
>> I can compile Icecat with a customized ebuild. since it's basically
>> the same as Firefox, maybe that helps. Basically it disables jit.
> You can't compile it on a grsec kernel because of this bug: :)
> It's odd that it hangs at xpcshell for you as it's already paxmarked in the
> Anyway, I'd suggest:
> 1) keyword firefox so you can get the latest one, which currently is the
> 10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have
> been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will
> compile just fine on hardened.
9.0.1 and 10.0 have both failed to emerge on my system, but I haven't
tried 10.0.1. I'll do that right away.
> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild for
> icecat/firefox will work for you, you just need this in src_configure() :
> if use pax_kernel; then
> mozconfig_annotate '' --disable-methodjit
> mozconfig_annotate '' --disable-tracejit
> 3) the other benefit of disabling jit completely is that you can now disable
> the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages
> :) Unless you want to use FF for flash or java that is... ;)
So I need to use paxctl -m if I want to use flash or java?