1 |
basile schrieb: |
2 |
> |
3 |
> Hi, a have a couple of question is for Gordon and Nedd regarding |
4 |
> rebuilding an entire desktop system with emerge -e world, both amd64 and |
5 |
> i686. I'm mostly worried about the security implications of the |
6 |
> choices I'm making and I'm not 100% sure of my understanding. |
7 |
> |
8 |
> 1) Regarding choice of compiler. gcc-config -l gives |
9 |
> |
10 |
> [1] x86_64-pc-linux-gnu-3.4.6 |
11 |
> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
12 |
> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
13 |
> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
14 |
> [5] x86_64-pc-linux-gnu-3.4.6-vanilla |
15 |
> [6] x86_64-pc-linux-gnu-4.1.2 |
16 |
> |
17 |
> My understanding is that [1] is fully hardened and that [2]-[5] are |
18 |
> exactly what they say, respectively no pie, no pie nor ssp, no ssp and |
19 |
> fully vanilla. My confusion is about 4.1.2. What hardening is present |
20 |
> in it? (Did some hardening which wasn't present in gcc-3 make it to |
21 |
> gcc-4 vanilla?) What's the best practice here? |
22 |
|
23 |
You are right with gcc-3.4.6-r2. How did you install gcc-4? It should be masked as that version does |
24 |
not have any builtin hardened features, so is only a normal, none-hardened gcc-4.1.2 |
25 |
|
26 |
> |
27 |
> |
28 |
> 2) Regarding the choice of profiles on amd64. I have |
29 |
> |
30 |
> [6] hardened/amd64 |
31 |
> [7] hardened/amd64/multilib * |
32 |
> [10] hardened/linux/amd64 |
33 |
> |
34 |
> I'm using the multilib and I'm wondering what the security implications |
35 |
> of this decision. Also, should I be thinking about the newer [10] on |
36 |
> amd64? What about the similar choice on i686? |
37 |
> |
38 |
> Thanks guys. |
39 |
> |
40 |
|
41 |
What security implications should be there? |
42 |
The newer [10] is still experimental and may change without warning. Use either [6] or [7] for now. |
43 |
|
44 |
-- |
45 |
Thomas Sachau |
46 |
|
47 |
Gentoo Linux Developer |