1 |
Hi, a have a couple of question is for Gordon and Nedd regarding |
2 |
rebuilding an entire desktop system with emerge -e world, both amd64 and |
3 |
i686. I'm mostly worried about the security implications of the |
4 |
choices I'm making and I'm not 100% sure of my understanding. |
5 |
|
6 |
1) Regarding choice of compiler. gcc-config -l gives |
7 |
|
8 |
[1] x86_64-pc-linux-gnu-3.4.6 |
9 |
[2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
10 |
[3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
11 |
[4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
12 |
[5] x86_64-pc-linux-gnu-3.4.6-vanilla |
13 |
[6] x86_64-pc-linux-gnu-4.1.2 |
14 |
|
15 |
My understanding is that [1] is fully hardened and that [2]-[5] are |
16 |
exactly what they say, respectively no pie, no pie nor ssp, no ssp and |
17 |
fully vanilla. My confusion is about 4.1.2. What hardening is present |
18 |
in it? (Did some hardening which wasn't present in gcc-3 make it to |
19 |
gcc-4 vanilla?) What's the best practice here? |
20 |
|
21 |
|
22 |
2) Regarding the choice of profiles on amd64. I have |
23 |
|
24 |
[6] hardened/amd64 |
25 |
[7] hardened/amd64/multilib * |
26 |
[10] hardened/linux/amd64 |
27 |
|
28 |
I'm using the multilib and I'm wondering what the security implications |
29 |
of this decision. Also, should I be thinking about the newer [10] on |
30 |
amd64? What about the similar choice on i686? |
31 |
|
32 |
Thanks guys. |
33 |
|
34 |
-- |
35 |
|
36 |
Anthony G. Basile, Ph.D. |
37 |
Chair of Information Technology |
38 |
D'Youville College |
39 |
Buffalo, NY 14201 |
40 |
USA |
41 |
|
42 |
(716) 829-8197 |