| 1 |
On 02-12-2017 ,13:28:37, Ian Zimmerman wrote: |
| 2 |
> This profile change seems to have hit a few people in sensitive |
| 3 |
> locations. |
| 4 |
> |
| 5 |
> What is the upshot of this change? Can I eyeball the diff _before_ I |
| 6 |
> sync ? |
| 7 |
|
| 8 |
This is what the news item states: |
| 9 |
================================= |
| 10 |
~ $ eselect news read new |
| 11 |
2017-11-30-new-17-profiles |
| 12 |
Title New 17.0 profiles in the Gentoo repository |
| 13 |
Author Andreas K. Hüttel <dilfridge@g.o> |
| 14 |
Posted 2017-11-30 |
| 15 |
Revision 1 |
| 16 |
|
| 17 |
We have just added (for all arches except arm and mips, these follow |
| 18 |
later) a new set of profiles with release version 17.0 to the Gentoo |
| 19 |
repository. These bring three changes: |
| 20 |
1) The default C++ language version for applications is now C++14. |
| 21 |
This change is mostly relevant to Gentoo developers. It also |
| 22 |
means, however, that compilers earlier than GCC 6 are masked |
| 23 |
and not supported for use as a system compiler anymore. Feel |
| 24 |
free to unmask them if you need them for specific applications. |
| 25 |
2) Where supported, GCC will now build position-independent |
| 26 |
executables (PIE) by default. This improves the overall |
| 27 |
security fingerprint. The switch from non-PIE to PIE binaries, |
| 28 |
however, requires some steps by users, as detailed below. |
| 29 |
3) Up to now, hardened profiles were separate from the default |
| 30 |
profile tree. Now they are moving into the 17.0 profile |
| 31 |
as a feature there, similar to "no-multilib" and "systemd". |
| 32 |
|
| 33 |
Please migrate away from the 13.0 profiles within the six weeks after |
| 34 |
GCC 6.4.0 has been stabilized on your architecture. The 13.0 profiles |
| 35 |
will be deprecated then and removed in half a year. |
| 36 |
|
| 37 |
If you are not already running a hardened setup with PIE enabled, then |
| 38 |
switching the profile involves the following steps: |
| 39 |
If not already done, |
| 40 |
* Use gcc-config to select gcc-6.4.0 or later as system compiler |
| 41 |
* Re-source /etc/profile: |
| 42 |
. /etc/profile |
| 43 |
* Re-emerge libtool |
| 44 |
emerge -1 sys-devel/libtool |
| 45 |
Then, |
| 46 |
* Select the new profile with eselect |
| 47 |
* Re-emerge, in this sequence, gcc, binutils, and glibc |
| 48 |
emerge -1 sys-devel/gcc:6.4.0 |
| 49 |
emerge -1 sys-devel/binutils |
| 50 |
emerge -1 sys-libs/glibc |
| 51 |
* Rebuild your entire system |
| 52 |
emerge -e @world |
| 53 |
|
| 54 |
Switching the profile from 13.0 to 17.0 modifies the settings of |
| 55 |
GCC 6 to generate PIE executables by default; thus, you need to do |
| 56 |
the rebuilds even if you have already used GCC 6 beforehand. |
| 57 |
If you do not follow these steps you may get spurious build |
| 58 |
failures when the linker tries unsuccessfully to combine non-PIE |
| 59 |
and PIE code. |
| 60 |
======================================== |
Archives