| 1 |
2011/10/20 Tomáš Chvátal <scarabeus@g.o>: |
| 2 |
> I would say that most hardened features should be merged to to main |
| 3 |
> profile as soon as they won't cause major PITA for the regular users. |
| 4 |
|
| 5 |
I agree - especially for stuff that doesn't require active setup |
| 6 |
(stack protection, PaX, etc). |
| 7 |
|
| 8 |
If there are features that we could turn on but for a few packages, |
| 9 |
maybe the solution there is to discuss them on-list and target them |
| 10 |
for future adoption and make an effort to fix the impacted ebuilds. |
| 11 |
Fix could mean either making the package work with the hardened |
| 12 |
feature, or disabling it just for that package (filter-flags, tag |
| 13 |
binaries not to run with features, etc). |
| 14 |
|
| 15 |
The hardened profile can still of course be the place where we push |
| 16 |
the envelope at the cost of more packages being masked, and there will |
| 17 |
always be things like MAC that represent a big change in how a system |
| 18 |
is run that will take a long time to become mainstream. |
| 19 |
|
| 20 |
Rich |
Archives