Alan McKinnon wrote:
emerge -e world does remerge everything, but not in the order you'd expect. try it with -p, you'll see that glibc and gcc are near the end. You want them at the beginning, so that the hardened system is built by a compiler and libc that is hardened as well as the rest of the toolchain. Now whereas a compiler can in theory be told to generate any kind of code for anything, including hard code when it itself is not hard, can you really be sure it actually will do that? Plus the rest of the toolchain too. The only certain way is to build a hardened toolchain then rebuild the entire system with it. emerge -e system ; emerge -e world is not the fastest route of minimal compilation effort, but it sure is the easiest for the human in charge: one line in bash, press enter, walk away.
This may be a good time to use the script off the forums. I used it a few weeks or so ago and it worked great. It certainly does things in a different order than portage.
Dale :-) :-)
