From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-48310-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RGtkH-0008E8-0j
	for garchives@archives.gentoo.org; Thu, 20 Oct 2011 14:37:21 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id DA38921C069;
	Thu, 20 Oct 2011 14:37:09 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 9D2CD21C03D
	for <gentoo-dev@lists.gentoo.org>; Thu, 20 Oct 2011 14:36:35 +0000 (UTC)
Received: from [192.168.3.7] (cpe-74-77-238-39.buffalo.res.rr.com [74.77.238.39])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: blueness)
	by smtp.gentoo.org (Postfix) with ESMTPSA id F16361B4009
	for <gentoo-dev@lists.gentoo.org>; Thu, 20 Oct 2011 14:36:34 +0000 (UTC)
Message-ID: <4EA031F0.5080200@gentoo.org>
Date: Thu, 20 Oct 2011 10:36:32 -0400
From: "Anthony G. Basile" <blueness@gentoo.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20110919 Lightning/1.0b3pre Lanikai/3.1.12
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Moving more hardening features to default?
References: <4E9FE012.5080703@gentoo.org> <CA+NrkpdPq0cPxBwLoDzL=z==oyVy5aLdQiZH2Wfa2dyPQqwpjA@mail.gmail.com> <CAGfcS_mJfEQBR+VCpMhXgLJPr-XRk1q7066yqZD6-+JPH3_19g@mail.gmail.com> <201110200857.00687.vapier@gentoo.org>
In-Reply-To: <201110200857.00687.vapier@gentoo.org>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: c5573afde76eeb9b792a74d458b18f02

On 10/20/2011 08:57 AM, Mike Frysinger wrote:
> On Thursday 20 October 2011 08:41:55 Rich Freeman wrote:
>> 2011/10/20 Tom=C3=A1=C5=A1 Chv=C3=A1tal:
>>> I would say that most hardened features should be merged to to main
>>> profile as soon as they won't cause major PITA for the regular users.
>> I agree - especially for stuff that doesn't require active setup
>> (stack protection, PaX, etc).
> except PaX requires kernel patches and is known to break things.  not a=
n=20
> acceptable default.
> -mike
I would not recommend PaX at this time.  As Mike said, it breaks things,
sometimes important things.  Eg. python ctypes was broken there for a
while on hardened.  Also, unlike toolchain, it requires that you
configure your kernel correctly, ie have familiarity with what works and
what doesn't under certain PaX features.  This may be trivial for us,
but might be more than we want to put newbies through.=20

--=20
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535