1 |
On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@g.o> wrote: |
2 |
> basile schrieb: |
3 |
>> |
4 |
>> Hi, a have a couple of question is for Gordon and Nedd regarding |
5 |
>> rebuilding an entire desktop system with emerge -e world, both amd64 and |
6 |
>> i686. I'm mostly worried about the security implications of the |
7 |
>> choices I'm making and I'm not 100% sure of my understanding. |
8 |
>> |
9 |
>> 1) Regarding choice of compiler. gcc-config -l gives |
10 |
>> |
11 |
>> [1] x86_64-pc-linux-gnu-3.4.6 |
12 |
>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
13 |
>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
14 |
>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
15 |
>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla |
16 |
>> [6] x86_64-pc-linux-gnu-4.1.2 |
17 |
>> |
18 |
>> My understanding is that [1] is fully hardened and that [2]-[5] are |
19 |
>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and |
20 |
>> fully vanilla. My confusion is about 4.1.2. What hardening is present |
21 |
>> in it? (Did some hardening which wasn't present in gcc-3 make it to |
22 |
>> gcc-4 vanilla?) What's the best practice here? |
23 |
> |
24 |
> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should be masked as that version does |
25 |
> not have any builtin hardened features, so is only a normal, none-hardened gcc-4.1.2 |
26 |
|
27 |
This can happen when using a non-hardened stage3 tarball during the |
28 |
install, then switching to the hardened profile later. |
29 |
|
30 |
I've noticed it's not immediately clear where to get hardened stages |
31 |
in the documentation. For those wondering, the mirror URL can be found |
32 |
in the topic on #gentoo-hardened, i.e.: |
33 |
http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/ |
34 |
|
35 |
> |
36 |
>> |
37 |
>> |
38 |
>> 2) Regarding the choice of profiles on amd64. I have |
39 |
>> |
40 |
>> [6] hardened/amd64 |
41 |
>> [7] hardened/amd64/multilib * |
42 |
>> [10] hardened/linux/amd64 |
43 |
>> |
44 |
>> I'm using the multilib and I'm wondering what the security implications |
45 |
>> of this decision. Also, should I be thinking about the newer [10] on |
46 |
>> amd64? What about the similar choice on i686? |
47 |
>> |
48 |
>> Thanks guys. |
49 |
>> |
50 |
> |
51 |
> What security implications should be there? |
52 |
> The newer [10] is still experimental and may change without warning. Use either [6] or [7] for now. |
53 |
> |
54 |
> -- |
55 |
> Thomas Sachau |
56 |
> |
57 |
> Gentoo Linux Developer |
58 |
> |
59 |
> |
60 |
|
61 |
-- |
62 |
Mansour Moufid |
63 |
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDF2862BA |