| 1 |
Alan McKinnon wrote: |
| 2 |
> |
| 3 |
> emerge -e world does remerge everything, but not in the order you'd |
| 4 |
> expect. try it with -p, you'll see that glibc and gcc are near the end. |
| 5 |
> |
| 6 |
> You want them at the beginning, so that the hardened system is built by |
| 7 |
> a compiler and libc that is hardened as well as the rest of the toolchain. |
| 8 |
> |
| 9 |
> Now whereas a compiler can in theory be told to generate any kind of |
| 10 |
> code for anything, including hard code when it itself is not hard, can |
| 11 |
> you really be sure it actually will do that? Plus the rest of the |
| 12 |
> toolchain too. |
| 13 |
> |
| 14 |
> The only certain way is to build a hardened toolchain then rebuild the |
| 15 |
> entire system with it. |
| 16 |
> |
| 17 |
> emerge -e system ; emerge -e world is not the fastest route of minimal |
| 18 |
> compilation effort, but it sure is the easiest for the human in charge: |
| 19 |
> one line in bash, press enter, walk away. |
| 20 |
> |
| 21 |
> |
| 22 |
|
| 23 |
This may be a good time to use the script off the forums. I used it a |
| 24 |
few weeks or so ago and it worked great. It certainly does things in a |
| 25 |
different order than portage. |
| 26 |
|
| 27 |
Dale |
| 28 |
|
| 29 |
:-) :-) |
Archives