On 13/03/2012 19:19, Anthony G. Basile wrote: > On 03/13/2012 01:07 PM, Mitch Harder wrote: >> On Tue, Mar 13, 2012 at 3:03 AM, Steven Cristian >> <[email protected]> wrote: >>> Once you use the 'hardened' flag on sys-devel/gcc and base-gcc it >>> shows this >>> : >>> >>> blacknoxis SpecialPackages # gcc-config -l >>> [1] x86_64-pc-linux-gnu-4.6.2 * >>> [2] x86_64-pc-linux-gnu-4.6.2-hardenednopie >>> [3] x86_64-pc-linux-gnu-4.6.2-hardenednopiessp >>> [4] x86_64-pc-linux-gnu-4.6.2-hardenednossp >>> [5] x86_64-pc-linux-gnu-4.6.2-vanilla >>> >> As Stephen showed, with a hardened gcc, you'll have 5 gcc profiles. >> >> My recommendation would be to modify the Sabayon gcc ebuilds to make >> the "vanilla" version the default, since most users probably will have >> no idea about building hardened packages, or know what to do when >> problems arise. >> >> So, if we rebuild our gcc package with the "hardened" USE flag, but >> set the default gcc profile to "vanilla", the net effect is that users >> won't see any changes unless they start to do their own homework on >> building hardened packages. Then, all they need to do is switch the >> gcc profile. >> >> But we should avoid silently switching all our users to >> build-hardened-by-default since there are occasional issues with >> building hardened. I think the users need to actively "buy-in" to a >> hardened gcc. >> >> > > This will not work. > > 1) glibc needs to be compiled with USE=hardened to apply some necessary > patches, and it needs to be compiled with a hardened compiler to get > -D_FORTIFY_SOURCES=2. So the toolchain (gcc/glibc/binutils) must be > compiled and then recompiled with USE=hardened. > > 2) If the entire system is not compiled hardened, then the system > libraries will lack the security from hardening. Why bother then with > hardening at all? >
+1 I'm a game programmer and, if everything goes well, the current game I'm working on will see the light on Windows. It's early to say, but I didn't give up on hope yet. Anyways, the idea is to use sabayon as a build server (other than my own developing machine). As you can guess, squeezing some extra perf has priority over hardening for us, and this is also true for the home project I work on. I would hate to have to link against some slow libs, or use compiler settings that cause unnecessary slowdowns. I agree with Anthony in that the "normal" gcc should be esily available, and possibly remain the default. Or it should at least be clear: 1) what performance penalties there will be 2) how to switch to the vanilla gcc Bye!
