1 |
On Fri, 23 Jun 2017 12:28:27 -0400 |
2 |
"Anthony G. Basile" <blueness@g.o> wrote: |
3 |
|
4 |
> Hardened Gentoo has two sides to it, kernel hardening (done via |
5 |
> hardened-sources) and toolchain/executable hardening. The two are |
6 |
> interrelated but independent enough that toolchain hardening can |
7 |
> continue on its own. The hardened kernel, however, provided PaX |
8 |
> protection for executables and this will be lost. We did a lot of |
9 |
> work to properly maintain PaX markings in our package management |
10 |
> system and there was no part of Gentoo that wasn't touched by issues |
11 |
> stemming from PaX support. |
12 |
|
13 |
|
14 |
Good luck to them at providing a complete userland ecosystem for using |
15 |
pax protection. Good luck at getting people accept and review their |
16 |
often crashing asm patches at upstream projects that won't even be able |
17 |
to test their benefits. |
18 |
|
19 |
Maybe we should start a business for this ? :) |
20 |
http://static.sstic.org/videos2015/SSTIC_2015-06-03_P08_CLIP.mp4 |
21 |
(This is for Patrice) |
22 |
|
23 |
|
24 |
|
25 |
We'll need to decide what to do with things like USE=pic. For media |
26 |
packages this is not something you usually want to enable as you can |
27 |
bear the 10Mb relocations at startup to have 10% or more performance |
28 |
improvement when reading your 2hours long movie. |
29 |
|
30 |
|
31 |
Alexis. |