On 12/15/2017 06:09 AM, Robert Sharp wrote: > > MISSING="berkdb gdbm tcpd ptpax session dri urandom" > > Is this a deliberate change or are they actually missing? >
These are all intentional, but perhaps with an unintended side effect. The default/linux profile sets, USE="berkdb crypt ipv6 ncurses nls pam readline ssl tcpd zlib" ... USE="${USE} cli pcre session" Most of those flags are unnecessary, so the hardened profile disables them (to reduce the surface area for attack): # Default starting set of USE flags for all default/linux profiles. # We unset them so we get a clean use flag profile. USE="${USE} -berkdb -gdbm -tcpd" USE="${USE} -fortran" USE="${USE} -cli -session" USE="${USE} -dri" USE="${USE} -modules" What that's trying to accomplish is to undo the overzealous USE in the default/linux profile, but unfortunately, the "-foo" flags (with the default stacking order in portage) will override the IUSE="+foo" defaults set in the ebuilds themselves. So, for example, dev-lang/php sets IUSE="+cli +session", but they'll be disabled when using the hardened profile. USE=ptpax is something else entirely. By now, everyone should be using the default xattr markings with PAX_MARKINGS=XT in make.conf (the new profile does this for you). USE=ptpax was dropped by default because you shouldn't need it any more. At least for "modules" and "session", we will eventually drop them as defaults so that everything works right again: * https://bugs.gentoo.org/635720 (modules) * https://bugs.gentoo.org/635742 (session)