Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-11-29 Thread Toralf Förster
On 10/10/2017 11:27 PM, Nils Freydank wrote:
> It looks to me as there isn’t any emtytree world rebuild necessary, as long 
> as 
> someone comes from hardened with PIE enabled.

Furthermore I do wonder if even rebuilding GCC is necessary - except for
changed USE flags - for a hardened user already having PIE enabled ?

-- 
Toralf
PGP 23217DA7 9B888F45




signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-10-10 Thread Nils Freydank
Am Dienstag, 10. Oktober 2017, 20:56:32 CEST schrieb Andreas K. Huettel:
> Am Dienstag, 10. Oktober 2017, 01:15:42 CEST schrieb Magnus Granberg:
> > 3) Hardened profiles will be moved to the 17.0 profile as sub profile.
> 
> Are there any special switching instructions for hardened that we need to
> add?
As far as I know hardened had the PIE enabled at least for a while, but it is 
possible to switch to a non-PIE subprofile via gcc-config for gcc <6.

It looks to me as there isn’t any emtytree world rebuild necessary, as long as 
someone comes from hardened with PIE enabled.
-- 
GPG fingerprint: '766B 8122 1342 6912 3401 492A 8B54 D7A3 FF3C DB17'
Holgersson

signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-10-10 Thread Andreas K. Huettel
Am Dienstag, 10. Oktober 2017, 09:51:43 CEST schrieb Kent Fredric:
> 
> Are there any specific versions of toolchain modules that should/must be
> used in 17.0 to make it work with GCC-6.4.0?
> 

Not that I know of. I'd use most recent stable though.

(And glibc-2.25 will most likely become stable before gcc-6.)

> All I did was:
> - Forcibly create the profile symlink myself ( as its not visible to me
>   yet with eselect )
> - accept-keywords for gcc
> - Followed remaining instructions.
> And hopefully that should be sufficient.

That should be perfectly fine.

> 
> binutils: 2.28.1
> gcc: 6.4.0
> glibc: 2.23-r4
> libtool: 2.4.6-r3

> I know this is typically a "don't mix ~arch and arch" thing, but I
> can't actually test things that will break otherwise :p

The whole "don't mix ~arch and arch" credo is in my opinion a bit silly. If 
mixing leads to bugs, these should be documented and fixed, if only with a 
version dependency.

-- 
Andreas K. Hüttel
dilfri...@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-10-10 Thread Andreas K. Huettel
Am Dienstag, 10. Oktober 2017, 01:15:42 CEST schrieb Magnus Granberg:

> 
> 3) Hardened profiles will be moved to the 17.0 profile as sub profile.
> 
Are there any special switching instructions for hardened that we need to add?

-- 
Andreas K. Hüttel
dilfri...@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-10-10 Thread Kent Fredric
On Mon, 09 Oct 2017 22:58:22 +0200
"Andreas K. Huettel"  wrote:

> Please consider switching from your current 13.0 profile to the
> corresponding 17.0 profile soon after GCC-6.4.0 has been 
> stabilized on your architecture. The 13.0 profiles will be deprecated 
> and removed in the near future.

Just  a question that only became apparent to me as I'm trying to
create a "mostly stable" keyworded chroot, but with this change added
to pick up defects:

Are there any specific versions of toolchain modules that should/must be used
in 17.0 to make it work with GCC-6.4.0?

All I did was:

- Forcibly create the profile symlink myself ( as its not visible to me
  yet with eselect )

- accept-keywords for gcc

- Followed remaining instructions.

And hopefully that should be sufficient.

binutils: 2.28.1
gcc: 6.4.0
glibc: 2.23-r4
libtool: 2.4.6-r3

I know this is typically a "don't mix ~arch and arch" thing, but I
can't actually test things that will break otherwise :p


pgp7koE6etrAO.pgp
Description: OpenPGP digital signature


Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-10-10 Thread Pacho Ramos
El mar, 10-10-2017 a las 00:23 +0200, Toralf Förster escribió:
> On 10/09/2017 11:40 PM, Pacho Ramos wrote:
> > Could anyone with enough knowledge finally give a look to the patched vapier
> 
> s/patched/patches/
> 
> or ? :-)
> 

Yes :)



Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-10-09 Thread Magnus Granberg
måndag 9 oktober 2017 kl. 22:58:22 CEST skrev  Andreas K. Huettel:
> =
> Title: New 17.0 profiles in the Gentoo repository
> Author: Andreas K. Hüttel 
> Posted: xxx
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: >=sys-devel/gcc-6.4.0
> 
> We have just added a new set of profiles with release version 17.0
> to the Gentoo repository. These bring tree changes:
> 1) The default C++ language version for applications is now C++14.
>This change is mostly relevant to Gentoo developers. It also
>means, however, that compilers earlier than GCC 6 are masked
>and not supported for use as a system compiler anymore. Feel
>free to unmask them if you need them for specific applications.
> 2) Where supported, GCC will now build position-independent
>executables (PIE) by default. This improves the overall
>security fingerprint. The switch from non-PIE to PIE binaries,
>however, requires some steps by users, as detailed below.
> 
3) Hardened profiles will be moved to the 17.0 profile as sub profile.

> Please consider switching from your current 13.0 profile to the
> corresponding 17.0 profile soon after GCC-6.4.0 has been
> stabilized on your architecture. The 13.0 profiles will be deprecated
> and removed in the near future.
> 
> Switching involves the following steps:
> If not already done,
> * Use gcc-config to select gcc-6.4.0 or later as system compiler
> * Re-source /etc/profile:
> . /etc/profile
> * Re-emerge libtool
> Then,
> * Select the new profile with eselect
> * Re-emerge, in this sequence, gcc, binutils, and glibc
> emerge -1 sys-devel/gcc:6.4.0
> emerge -1 sys-devel/binutils
> emerge -1 sys-libs/glibc
> * Rebuild your entire system
> emerge -e world
> 
> If you do not follow these steps you may get spurious build
> failures when the linker tries unsuccessfully to combine non-PIE
> and PIE code.
> =





Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-10-09 Thread Toralf Förster
On 10/09/2017 11:40 PM, Pacho Ramos wrote:
> Could anyone with enough knowledge finally give a look to the patched vapier

s/patched/patches/

or ? :-)

-- 
Toralf
PGP 23217DA7 9B888F45




signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] RFC: news item for the 17.0 profiles

2017-10-09 Thread Pacho Ramos
El lun, 09-10-2017 a las 22:58 +0200, Andreas K. Huettel escribió:
> =
> Title: New 17.0 profiles in the Gentoo repository
> Author: Andreas K. Hüttel 
> Posted: xxx
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: >=sys-devel/gcc-6.4.0
> 
> We have just added a new set of profiles with release version 17.0
> to the Gentoo repository. These bring two changes:
> 1) The default C++ language version for applications is now C++14.
>This change is mostly relevant to Gentoo developers. It also
>means, however, that compilers earlier than GCC 6 are masked 
>and not supported for use as a system compiler anymore. Feel 
>free to unmask them if you need them for specific applications.
> 2) Where supported, GCC will now build position-independent
>executables (PIE) by default. This improves the overall
>security fingerprint. The switch from non-PIE to PIE binaries,
>however, requires some steps by users, as detailed below.
> 
> Please consider switching from your current 13.0 profile to the
> corresponding 17.0 profile soon after GCC-6.4.0 has been 
> stabilized on your architecture. The 13.0 profiles will be deprecated 
> and removed in the near future.
> 
> Switching involves the following steps: 
> If not already done,
> * Use gcc-config to select gcc-6.4.0 or later as system compiler
> * Re-source /etc/profile:
> . /etc/profile
> * Re-emerge libtool

Could anyone with enough knowledge finally give a look to the patched vapier
provided in https://bugs.gentoo.org/88596 but never got committed?

Thanks!