public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Moving more hardening features to default?
Date: Thu, 20 Oct 2011 08:41:55 -0400	[thread overview]
Message-ID: <CAGfcS_mJfEQBR+VCpMhXgLJPr-XRk1q7066yqZD6-+JPH3_19g@mail.gmail.com> (raw)
In-Reply-To: <CA+NrkpdPq0cPxBwLoDzL=z==oyVy5aLdQiZH2Wfa2dyPQqwpjA@mail.gmail.com>

2011/10/20 Tomáš Chvátal <scarabeus@gentoo.org>:
> I would say that most hardened features should be merged to to main
> profile as soon as they won't cause major PITA for the regular users.

I agree - especially for stuff that doesn't require active setup
(stack protection, PaX, etc).

If there are features that we could turn on but for a few packages,
maybe the solution there is to discuss them on-list and target them
for future adoption and make an effort to fix the impacted ebuilds.
Fix could mean either making the package work with the hardened
feature, or disabling it just for that package (filter-flags, tag
binaries not to run with features, etc).

The hardened profile can still of course be the place where we push
the envelope at the cost of more packages being masked, and there will
always be things like MAC that represent a big change in how a system
is run that will take a long time to become mainstream.

Rich



  reply	other threads:[~2011-10-20 12:42 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-20  8:47 [gentoo-dev] Moving more hardening features to default? "Paweł Hajdan, Jr."
2011-10-20 10:40 ` Anthony G. Basile
2011-10-20 10:46   ` Tomáš Chvátal
2011-10-20 12:41     ` Rich Freeman [this message]
2011-10-20 12:57       ` Mike Frysinger
2011-10-20 14:36         ` Anthony G. Basile
2011-10-20 16:47           ` Rich Freeman
2011-10-20 17:17             ` Mike Frysinger
2011-10-20 20:51               ` Magnus Granberg
2011-10-23  3:56                 ` [gentoo-dev] " Steven J Long
2011-10-25 10:10                   ` "Paweł Hajdan, Jr."
2011-10-25 16:12                   ` Francisco Blas Izquierdo Riera (klondike)
2011-10-27  1:13                     ` [gentoo-dev] " Steven J Long
2011-10-20 11:46   ` [gentoo-dev] " Diego Elio Pettenò
2011-10-20 12:49     ` Mike Frysinger
2011-10-21  5:39   ` Ryan Hill
2011-10-20 12:55 ` [gentoo-dev] " Mike Frysinger
2011-10-21  3:20   ` [gentoo-dev] " Duncan
2011-10-21 12:13     ` Mike Frysinger
2011-10-21 15:25       ` Duncan
2011-10-21 16:37         ` Magnus Granberg
2011-10-25 14:18 ` [gentoo-dev] " Kacper Kowalik
2011-10-25 14:46   ` Patrick Lauer
2011-10-25 15:11   ` Rich Freeman
2011-10-25 15:38     ` "Paweł Hajdan, Jr."

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGfcS_mJfEQBR+VCpMhXgLJPr-XRk1q7066yqZD6-+JPH3_19g@mail.gmail.com \
    --to=rich0@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox