1 |
On 10/23/2011 02:00 PM, "Paweł Hajdan, Jr." wrote: |
2 |
> Looks like the thread I started about moving more hardened features to |
3 |
> default |
4 |
> <http://archives.gentoo.org/gentoo-dev/msg_ef3dbd4ba400a5936cd5b7546b86d875.xml> |
5 |
> got a lot of positive feedback. Kernel hardening features are more |
6 |
> problematic, but hardening the toolchain seems to be within reach. |
7 |
> |
8 |
> I'd like to produce some implementation plan for that, and my suggestion |
9 |
> is to change the meaning of the "hardened" USE flag for GCC. I'd like to |
10 |
> build all 4 or so specs for gcc always, and the "hardened" USE flag |
11 |
> would just control which one is the default: the vanilla one or |
12 |
> full-hardening one. |
13 |
> |
14 |
> This would allow people to manually start using hardened toolchain |
15 |
> without even switching profile, and should be a no-op for everyone else. |
16 |
> From there we can later proceed to apply more features. |
17 |
> |
18 |
> Thoughts? |
19 |
> |
20 |
Where would the hardened profiles fit in this? This requires some |
21 |
thought. Right now "hardened" means three choices: 1) hardened |
22 |
toolchain, 2) hardened-sources kernel, 3) hardened profile. Some |
23 |
packages are masked or added to the profile for the toolchain, some for |
24 |
the kernel. We'd have to disentangle those. I'm not sure how the |
25 |
details would play out. |
26 |
|
27 |
-- |
28 |
Anthony G. Basile, Ph.D. |
29 |
Gentoo Linux Developer [Hardened] |
30 |
E-Mail : blueness@g.o |
31 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
32 |
GnuPG ID : D0455535 |