From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Moving more hardening features to default?
Date: Thu, 20 Oct 2011 10:36:32 -0400 [thread overview]
Message-ID: <4EA031F0.5080200@gentoo.org> (raw)
In-Reply-To: <201110200857.00687.vapier@gentoo.org>
On 10/20/2011 08:57 AM, Mike Frysinger wrote:
> On Thursday 20 October 2011 08:41:55 Rich Freeman wrote:
>> 2011/10/20 Tomáš Chvátal:
>>> I would say that most hardened features should be merged to to main
>>> profile as soon as they won't cause major PITA for the regular users.
>> I agree - especially for stuff that doesn't require active setup
>> (stack protection, PaX, etc).
> except PaX requires kernel patches and is known to break things. not an
> acceptable default.
> -mike
I would not recommend PaX at this time. As Mike said, it breaks things,
sometimes important things. Eg. python ctypes was broken there for a
while on hardened. Also, unlike toolchain, it requires that you
configure your kernel correctly, ie have familiarity with what works and
what doesn't under certain PaX features. This may be trivial for us,
but might be more than we want to put newbies through.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
next prev parent reply other threads:[~2011-10-20 14:37 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-20 8:47 [gentoo-dev] Moving more hardening features to default? "Paweł Hajdan, Jr."
2011-10-20 10:40 ` Anthony G. Basile
2011-10-20 10:46 ` Tomáš Chvátal
2011-10-20 12:41 ` Rich Freeman
2011-10-20 12:57 ` Mike Frysinger
2011-10-20 14:36 ` Anthony G. Basile [this message]
2011-10-20 16:47 ` Rich Freeman
2011-10-20 17:17 ` Mike Frysinger
2011-10-20 20:51 ` Magnus Granberg
2011-10-23 3:56 ` [gentoo-dev] " Steven J Long
2011-10-25 10:10 ` "Paweł Hajdan, Jr."
2011-10-25 16:12 ` Francisco Blas Izquierdo Riera (klondike)
2011-10-27 1:13 ` [gentoo-dev] " Steven J Long
2011-10-20 11:46 ` [gentoo-dev] " Diego Elio Pettenò
2011-10-20 12:49 ` Mike Frysinger
2011-10-21 5:39 ` Ryan Hill
2011-10-20 12:55 ` [gentoo-dev] " Mike Frysinger
2011-10-21 3:20 ` [gentoo-dev] " Duncan
2011-10-21 12:13 ` Mike Frysinger
2011-10-21 15:25 ` Duncan
2011-10-21 16:37 ` Magnus Granberg
2011-10-25 14:18 ` [gentoo-dev] " Kacper Kowalik
2011-10-25 14:46 ` Patrick Lauer
2011-10-25 15:11 ` Rich Freeman
2011-10-25 15:38 ` "Paweł Hajdan, Jr."
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EA031F0.5080200@gentoo.org \
--to=blueness@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox