Nikos Chantziaras <rea...@gmail.com> wrote: > > Well, if you're running a local process that is trying to attack you, > you've been compromised already, imo.
By your definition, you are compromised if you surf to the wrong webpage with enabled javascript. While this is arguably true, I would distinguish between various degree of compromise and would prefer if nevertheless such webpages would not be able to e.g. read the secret keys of a running gnupg process. > So, unless you're running some kind of server that offers execution time > to clients ... or use your browser with not always disabled javascript ... > and the few packages that run untrusted code. You misunderstand: For the packages which run the code, the mitigations like retpoline do not help much. It is the packages which _somehow_ react (or can be called) by such a code which need the protection by retpoline built-in. And this is an awful lot of packages since it includes also all libraries which are possibly used by these packages, language interpreters used by these packages, etc. If in doubt, I would re-emerge the full -e @world with corresponding compiler switches enabled. Of course, rebuilding @world without changing your C*FLAGS before would be pointless.