On Thu, Oct 20, 2011 at 10:36 AM, Anthony G. Basile <bluen...@gentoo.org> wrote: > I would not recommend PaX at this time. As Mike said, it breaks things, > sometimes important things. Eg. python ctypes was broken there for a > while on hardened. Also, unlike toolchain, it requires that you > configure your kernel correctly, ie have familiarity with what works and > what doesn't under certain PaX features. This may be trivial for us, > but might be more than we want to put newbies through.
I used it as an example because it is passive for the most part, and I think most of the configuration could be handled by the ebuilds. However, I didn't mean to suggest that it was ready to be made a default. If the list of broken packages were small enough I think that it would be fair to consider it as a future default to work towards. I was trying to draw a contrast between passive things like stack-protection and things that really get in your face like MAC. Rich