From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RIEVy-0007ec-Lv for garchives@archives.gentoo.org; Mon, 24 Oct 2011 07:00:06 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4702C21C1D4; Mon, 24 Oct 2011 06:59:52 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 85C3521C0F2 for ; Mon, 24 Oct 2011 06:59:20 +0000 (UTC) Received: from phjr-macbookpro.local (fi122.internetdsl.tpnet.pl [80.53.34.122]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: phajdan.jr) by smtp.gentoo.org (Postfix) with ESMTPSA id 2197F1B4005 for ; Mon, 24 Oct 2011 06:59:17 +0000 (UTC) Message-ID: <4EA50CB1.50308@gentoo.org> Date: Mon, 24 Oct 2011 08:58:57 +0200 From: =?UTF-8?B?IlBhd2XFgiBIYWpkYW4sIEpyLiI=?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Building hardened gcc specs always, just not enabling them by default References: <4EA45652.1050309@gentoo.org> <4EA464F2.4040203@gentoo.org> <4EA46F53.10400@gentoo.org> In-Reply-To: <4EA46F53.10400@gentoo.org> X-Enigmail-Version: 1.3.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigFFB9A5B7CFA189CEEAA6C937" X-Archives-Salt: X-Archives-Hash: 9af8fa6c8cd7f6b84602746828696f79 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigFFB9A5B7CFA189CEEAA6C937 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 10/23/11 9:47 PM, Anthony G. Basile wrote: > So if you look in the hardened profiles, you'll see some things masked > like net-im/skype because of the kernel, and some things masked like > =3Dsys-devel/gdb-7.0* because of the toolchain. If the hardened toolch= ain > moves into mainstream, then we'll have to sort through those and figure= > out how to incorporate them into the main profiles. That's right. My goal now is to come up with a realistic plan how to do that. It seems most people agree it's a good goal, now we'd need to identify possible problems and find solutions. Thank you for helping identify problems. Please take a look to see if my suggestions make sense. > How would we say, > if you use gcc-config and choose gcc-4.5.1-hardened spec, mask > gdb-7.0*? I don't think its impossible, but I'm not seeing how to > proceed right now. First, I'd like the hardened spec to be non-default, so that if the user chooses the hardened spec he'd be "on his own", and expect possibly more breakages. Second, profiles/hardened/package.mask seems to contain only few entries, and a more recent gdb than 7.0 works and is in stable. I've checked on my hardened system. This doesn't seem to be a serious issue, maybe we can just punt gdb 7.0 or print a message that it's expected to be broken with hardened spec. Third - can we forcefully disable hardened features in packages that are not compatible? My assumption is yes, and we should probably print a warning then. Fourth - we can add the gcc spec to emerge --info. What do you think? --------------enigFFB9A5B7CFA189CEEAA6C937 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk6lDMAACgkQuUQtlDBCeQI82QCdFaVFnKLNFDEy0oGkh2RIVoy1 bG0AniXyxh/tM5KeLs4mvXQBce4h4DNp =Y9S1 -----END PGP SIGNATURE----- --------------enigFFB9A5B7CFA189CEEAA6C937--