Dropping -fpic isn't working out. There are too many static convenience libs that get linked into programs.
The new gcc specs patch should be ready today or tommorrow. It's much more configurable, and there may be parts that some of you may not want... like changes to libmudflap so it just kills programs instead of giving debugging info. By default, without adding definitions to the headers, the patch will change nothing. I added mkstemps to the arc4random glibc patch, so libiberty and others can use this libc version instead. I just copied mkstemps.c from gcc, and replaced gettimeofday() with arc4random(). There's a bit of duplicate code with the other mktemp stuff in glibc, but it's probably less than 1kb compiled so it's no big deal. This way the mktemp family in glibc doesn't need to be completely rewritten to support mkstemps(). Glibc-2.6 and GCC-4.2 are out, but I'd like to keep Glibc-2.5 and gcc-4.1.x. Neither of the new packages have added any significant hardening changes, and they're both going to take 6-12 months to stabilize with other packages. It looks like the only way to get Glibc-2.6 working with Linux-2.4 is to disable threading. I don't think this is such a big problem. Linux-2.4 would be used mainly for network servers, and those daemons generally don't link to libpthread. Also, the pth gnu package can be used as a threading library. While reading changes to Glibc-2.6, I discovered the strfry() function, and it's another place arc4random() can be used. strfry() is a glibc specific function that returns a randomized string. I'm not sure what uses it, but it's another function that uses gettimeofday() for entropy. I finally added frandom back to the book earlier today. I talked to the Fortuna developer about adding frandom to his patch, but it looks like his opinion is to use /dev/urandom (his version) for everything and forget everything else. robert
pgpCt7hw2VV0b.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
