On 15/03/11 20:05, Grant wrote: > A dev is asking me to switch to a hardened profile in order to test a > fix. I'm happy to go through the process, but is there a chance my > laptop could be unusable after the switch? If that happens I'll be in > real trouble. Will I be able to switch back to a non-hardened profile > afterward? I plan to follow this guide: > > http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile > > BTW, are emerge -e world and emerge -e system both necessary? I > thought emerge -e world would rebuild everything.
emerge -e world does remerge everything, but not in the order you'd expect. try it with -p, you'll see that glibc and gcc are near the end. You want them at the beginning, so that the hardened system is built by a compiler and libc that is hardened as well as the rest of the toolchain. Now whereas a compiler can in theory be told to generate any kind of code for anything, including hard code when it itself is not hard, can you really be sure it actually will do that? Plus the rest of the toolchain too. The only certain way is to build a hardened toolchain then rebuild the entire system with it. emerge -e system ; emerge -e world is not the fastest route of minimal compilation effort, but it sure is the easiest for the human in charge: one line in bash, press enter, walk away. -- alan dot mckinnon at gmail dot com
