1 |
On Thu, Oct 20, 2011 at 10:36 AM, Anthony G. Basile <blueness@g.o> wrote: |
2 |
> I would not recommend PaX at this time. As Mike said, it breaks things, |
3 |
> sometimes important things. Eg. python ctypes was broken there for a |
4 |
> while on hardened. Also, unlike toolchain, it requires that you |
5 |
> configure your kernel correctly, ie have familiarity with what works and |
6 |
> what doesn't under certain PaX features. This may be trivial for us, |
7 |
> but might be more than we want to put newbies through. |
8 |
|
9 |
I used it as an example because it is passive for the most part, and I |
10 |
think most of the configuration could be handled by the ebuilds. |
11 |
|
12 |
However, I didn't mean to suggest that it was ready to be made a |
13 |
default. If the list of broken packages were small enough I think |
14 |
that it would be fair to consider it as a future default to work |
15 |
towards. |
16 |
|
17 |
I was trying to draw a contrast between passive things like |
18 |
stack-protection and things that really get in your face like MAC. |
19 |
|
20 |
Rich |