On 03/13/2012 01:07 PM, Mitch Harder wrote:
On Tue, Mar 13, 2012 at 3:03 AM, Steven Cristian
<stevencrist...@hotmail.com> wrote:
Once you use the 'hardened' flag on sys-devel/gcc and base-gcc it shows this
:
blacknoxis SpecialPackages # gcc-config -l
[1] x86_64-pc-linux-gnu-4.6.2 *
[2] x86_64-pc-linux-gnu-4.6.2-hardenednopie
[3] x86_64-pc-linux-gnu-4.6.2-hardenednopiessp
[4] x86_64-pc-linux-gnu-4.6.2-hardenednossp
[5] x86_64-pc-linux-gnu-4.6.2-vanilla
As Stephen showed, with a hardened gcc, you'll have 5 gcc profiles.
My recommendation would be to modify the Sabayon gcc ebuilds to make
the "vanilla" version the default, since most users probably will have
no idea about building hardened packages, or know what to do when
problems arise.
So, if we rebuild our gcc package with the "hardened" USE flag, but
set the default gcc profile to "vanilla", the net effect is that users
won't see any changes unless they start to do their own homework on
building hardened packages. Then, all they need to do is switch the
gcc profile.
But we should avoid silently switching all our users to
build-hardened-by-default since there are occasional issues with
building hardened. I think the users need to actively "buy-in" to a
hardened gcc.
This will not work.
1) glibc needs to be compiled with USE=hardened to apply some necessary
patches, and it needs to be compiled with a hardened compiler to get
-D_FORTIFY_SOURCES=2. So the toolchain (gcc/glibc/binutils) must be
compiled and then recompiled with USE=hardened.
2) If the entire system is not compiled hardened, then the system
libraries will lack the security from hardening. Why bother then with
hardening at all?
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
