| 1 |
On Fri, 23 Jun 2017 12:28:27 -0400 |
| 2 |
"Anthony G. Basile" <blueness@g.o> wrote: |
| 3 |
|
| 4 |
> Hardened Gentoo has two sides to it, kernel hardening (done via |
| 5 |
> hardened-sources) and toolchain/executable hardening. The two are |
| 6 |
> interrelated but independent enough that toolchain hardening can |
| 7 |
> continue on its own. The hardened kernel, however, provided PaX |
| 8 |
> protection for executables and this will be lost. We did a lot of |
| 9 |
> work to properly maintain PaX markings in our package management |
| 10 |
> system and there was no part of Gentoo that wasn't touched by issues |
| 11 |
> stemming from PaX support. |
| 12 |
|
| 13 |
|
| 14 |
Good luck to them at providing a complete userland ecosystem for using |
| 15 |
pax protection. Good luck at getting people accept and review their |
| 16 |
often crashing asm patches at upstream projects that won't even be able |
| 17 |
to test their benefits. |
| 18 |
|
| 19 |
Maybe we should start a business for this ? :) |
| 20 |
http://static.sstic.org/videos2015/SSTIC_2015-06-03_P08_CLIP.mp4 |
| 21 |
(This is for Patrice) |
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
We'll need to decide what to do with things like USE=pic. For media |
| 26 |
packages this is not something you usually want to enable as you can |
| 27 |
bear the 10Mb relocations at startup to have 10% or more performance |
| 28 |
improvement when reading your 2hours long movie. |
| 29 |
|
| 30 |
|
| 31 |
Alexis. |
Archives