Gentoo Archives: gentoo-dev

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Building hardened gcc specs always, just not enabling them by default
Date: Sun, 23 Oct 2011 19:04:10
Message-Id: 4EA464F2.4040203@gentoo.org
In Reply to: [gentoo-dev] Building hardened gcc specs always, just not enabling them by default by "Paweł Hajdan
1 On 10/23/2011 02:00 PM, "Paweł Hajdan, Jr." wrote:
2 > Looks like the thread I started about moving more hardened features to
3 > default
4 > <http://archives.gentoo.org/gentoo-dev/msg_ef3dbd4ba400a5936cd5b7546b86d875.xml>
5 > got a lot of positive feedback. Kernel hardening features are more
6 > problematic, but hardening the toolchain seems to be within reach.
7 >
8 > I'd like to produce some implementation plan for that, and my suggestion
9 > is to change the meaning of the "hardened" USE flag for GCC. I'd like to
10 > build all 4 or so specs for gcc always, and the "hardened" USE flag
11 > would just control which one is the default: the vanilla one or
12 > full-hardening one.
13 >
14 > This would allow people to manually start using hardened toolchain
15 > without even switching profile, and should be a no-op for everyone else.
16 > From there we can later proceed to apply more features.
17 >
18 > Thoughts?
19 >
20 Where would the hardened profiles fit in this? This requires some
21 thought. Right now "hardened" means three choices: 1) hardened
22 toolchain, 2) hardened-sources kernel, 3) hardened profile. Some
23 packages are masked or added to the profile for the toolchain, some for
24 the kernel. We'd have to disentangle those. I'm not sure how the
25 details would play out.
26
27 --
28 Anthony G. Basile, Ph.D.
29 Gentoo Linux Developer [Hardened]
30 E-Mail : blueness@g.o
31 GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
32 GnuPG ID : D0455535

Replies