On 10/20/2011 04:47 AM, "Paweł Hajdan, Jr." wrote: > I've noticed > <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e. > Debian is starting to make more and more hardening features default, at > least for most packages. > > Should we start doing that too? What are possible problems with that? It > seems like it's mostly about USE=hardened, right? > > I've noticed that several binary drivers like nvidia-drivers are masked > on hardened - is it a problem with hardened-sources, or with hardened > toolchain? > The nvidia-driver problem is due to PaX in the kernel, so its hardened-sources.
USE=hardened refers to only toolchain hardening. The problems there are mostly packages which break with PIE because they (ab)use assembly. Things like virtualbox and some codecs. This can become a thorny mess. It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2 and ssp into mainstream though. Packages which break because of either of those two features are broken and should be fixed anyhow. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
