On Fri, 23 Jun 2017 12:28:27 -0400 "Anthony G. Basile" <[email protected]> wrote:
> Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of > work to properly maintain PaX markings in our package management > system and there was no part of Gentoo that wasn't touched by issues > stemming from PaX support. Good luck to them at providing a complete userland ecosystem for using pax protection. Good luck at getting people accept and review their often crashing asm patches at upstream projects that won't even be able to test their benefits. Maybe we should start a business for this ? :) http://static.sstic.org/videos2015/SSTIC_2015-06-03_P08_CLIP.mp4 (This is for Patrice) We'll need to decide what to do with things like USE=pic. For media packages this is not something you usually want to enable as you can bear the 10Mb relocations at startup to have 10% or more performance improvement when reading your 2hours long movie. Alexis.
