On Mon, 2023-11-13 at 11:19 +0100, ralfconn wrote: > > It seems to me easier to add these to the desktop rather the other way > round. Any gotcha's I am missing? >
There are a few other things in profiles/features/hardened that you should copy -- particularly the gcc USE flags -- but basically, you're right. These days the hardened profiles don't add much. The main thing they "add" is the lack of unnecessary features enabled by default in a desktop profile. It's a tedious process, but turning on the features you need one at a time in package.use will eventually result in a smaller attack surface than enabling them all at once in the desktop profile's make.defaults. Of course you could do that the other way around, too, starting from a desktop profile and disabling them one at a time.
