1 |
As a part of my earlier threads I tried to figure out the migration plan |
2 |
from not hardened glibc and not hardened gcc to both of them hardened. |
3 |
|
4 |
That of course raises questions like - what we compile first, and what |
5 |
are dependencies here? |
6 |
|
7 |
Here's what I have figured out - by _experimenting_ not speculation: |
8 |
|
9 |
1. Building glibc with USE=hardened works, no matter whether the |
10 |
toolchain is hardened or not. |
11 |
|
12 |
2. However, glibc won't apply one hardening-related patch if the used |
13 |
toolchain is not pie-enabled. |
14 |
|
15 |
3. Interestingly, gcc with USE=hardened compiles fine even if glibc is |
16 |
-hardened. The vanilla spec works. I haven't tested the hardened spec. |
17 |
|
18 |
Based on that, I suggest the following dependency changes (conceptually): |
19 |
|
20 |
In glibc: DEPEND="gcc[hardened?]" |
21 |
In gcc: PDEPEND="elibc_glibc? glibc[hardened?]" |
22 |
|
23 |
Thoughts? |