Gentoo Archives: gentoo-dev

From: "Paweł Hajdan
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] hardened glibc and gcc dependencies
Date: Thu, 27 Oct 2011 09:04:46
Message-Id: 4EA91E7E.4000902@gentoo.org
1 As a part of my earlier threads I tried to figure out the migration plan
2 from not hardened glibc and not hardened gcc to both of them hardened.
3
4 That of course raises questions like - what we compile first, and what
5 are dependencies here?
6
7 Here's what I have figured out - by _experimenting_ not speculation:
8
9 1. Building glibc with USE=hardened works, no matter whether the
10 toolchain is hardened or not.
11
12 2. However, glibc won't apply one hardening-related patch if the used
13 toolchain is not pie-enabled.
14
15 3. Interestingly, gcc with USE=hardened compiles fine even if glibc is
16 -hardened. The vanilla spec works. I haven't tested the hardened spec.
17
18 Based on that, I suggest the following dependency changes (conceptually):
19
20 In glibc: DEPEND="gcc[hardened?]"
21 In gcc: PDEPEND="elibc_glibc? glibc[hardened?]"
22
23 Thoughts?

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies