On 10/23/2011 02:00 PM, "Paweł Hajdan, Jr." wrote: > Looks like the thread I started about moving more hardened features to > default > <http://archives.gentoo.org/gentoo-dev/msg_ef3dbd4ba400a5936cd5b7546b86d875.xml> > got a lot of positive feedback. Kernel hardening features are more > problematic, but hardening the toolchain seems to be within reach. > > I'd like to produce some implementation plan for that, and my suggestion > is to change the meaning of the "hardened" USE flag for GCC. I'd like to > build all 4 or so specs for gcc always, and the "hardened" USE flag > would just control which one is the default: the vanilla one or > full-hardening one. > > This would allow people to manually start using hardened toolchain > without even switching profile, and should be a no-op for everyone else. > From there we can later proceed to apply more features. > > Thoughts? > Where would the hardened profiles fit in this? This requires some thought. Right now "hardened" means three choices: 1) hardened toolchain, 2) hardened-sources kernel, 3) hardened profile. Some packages are masked or added to the profile for the toolchain, some for the kernel. We'd have to disentangle those. I'm not sure how the details would play out.
-- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : [email protected] GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
