| 1 |
On Thu, Oct 20, 2011 at 10:36 AM, Anthony G. Basile <blueness@g.o> wrote: |
| 2 |
> I would not recommend PaX at this time. As Mike said, it breaks things, |
| 3 |
> sometimes important things. Eg. python ctypes was broken there for a |
| 4 |
> while on hardened. Also, unlike toolchain, it requires that you |
| 5 |
> configure your kernel correctly, ie have familiarity with what works and |
| 6 |
> what doesn't under certain PaX features. This may be trivial for us, |
| 7 |
> but might be more than we want to put newbies through. |
| 8 |
|
| 9 |
I used it as an example because it is passive for the most part, and I |
| 10 |
think most of the configuration could be handled by the ebuilds. |
| 11 |
|
| 12 |
However, I didn't mean to suggest that it was ready to be made a |
| 13 |
default. If the list of broken packages were small enough I think |
| 14 |
that it would be fair to consider it as a future default to work |
| 15 |
towards. |
| 16 |
|
| 17 |
I was trying to draw a contrast between passive things like |
| 18 |
stack-protection and things that really get in your face like MAC. |
| 19 |
|
| 20 |
Rich |
Archives