| 1 |
On 15/03/11 20:05, Grant wrote: |
| 2 |
> A dev is asking me to switch to a hardened profile in order to test a |
| 3 |
> fix. I'm happy to go through the process, but is there a chance my |
| 4 |
> laptop could be unusable after the switch? If that happens I'll be in |
| 5 |
> real trouble. Will I be able to switch back to a non-hardened profile |
| 6 |
> afterward? I plan to follow this guide: |
| 7 |
> |
| 8 |
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile |
| 9 |
> |
| 10 |
> BTW, are emerge -e world and emerge -e system both necessary? I |
| 11 |
> thought emerge -e world would rebuild everything. |
| 12 |
|
| 13 |
emerge -e world does remerge everything, but not in the order you'd |
| 14 |
expect. try it with -p, you'll see that glibc and gcc are near the end. |
| 15 |
|
| 16 |
You want them at the beginning, so that the hardened system is built by |
| 17 |
a compiler and libc that is hardened as well as the rest of the toolchain. |
| 18 |
|
| 19 |
Now whereas a compiler can in theory be told to generate any kind of |
| 20 |
code for anything, including hard code when it itself is not hard, can |
| 21 |
you really be sure it actually will do that? Plus the rest of the |
| 22 |
toolchain too. |
| 23 |
|
| 24 |
The only certain way is to build a hardened toolchain then rebuild the |
| 25 |
entire system with it. |
| 26 |
|
| 27 |
emerge -e system ; emerge -e world is not the fastest route of minimal |
| 28 |
compilation effort, but it sure is the easiest for the human in charge: |
| 29 |
one line in bash, press enter, walk away. |
| 30 |
|
| 31 |
|
| 32 |
-- |
| 33 |
alan dot mckinnon at gmail dot com |
Archives