From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-48306-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RGrx9-0004Fx-3D
	for garchives@archives.gentoo.org; Thu, 20 Oct 2011 12:42:31 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 1347121C071;
	Thu, 20 Oct 2011 12:42:22 +0000 (UTC)
Received: from mail-bw0-f53.google.com (mail-bw0-f53.google.com [209.85.214.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 0D37121C02B
	for <gentoo-dev@lists.gentoo.org>; Thu, 20 Oct 2011 12:41:55 +0000 (UTC)
Received: by bke11 with SMTP id 11so4167307bke.40
        for <gentoo-dev@lists.gentoo.org>; Thu, 20 Oct 2011 05:41:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=TSkG18waNNUJ9lm3fFXQF5nJ9VGcAyGTB8Dzs6gN6tQ=;
        b=w3d/EKbDBdMik/yzosKhzyEQOvPsJwIXVXYvV+aCheWcoLFJ/Mg9XRUY5b1YUubVn4
         EKs/ql8iedAI3uwhYnOSraawCewkEFwVlB91BLnyMe559vpV1VNDHMkWBHwKvV4QFexB
         B0DWZt7h2d0R1v7y0eZ0S9KmELMMhEycB+vb0=
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.204.9.129 with SMTP id l1mr8141193bkl.15.1319114515076; Thu,
 20 Oct 2011 05:41:55 -0700 (PDT)
Sender: freemanrich@gmail.com
Received: by 10.204.72.195 with HTTP; Thu, 20 Oct 2011 05:41:55 -0700 (PDT)
In-Reply-To: <CA+NrkpdPq0cPxBwLoDzL=z==oyVy5aLdQiZH2Wfa2dyPQqwpjA@mail.gmail.com>
References: <4E9FE012.5080703@gentoo.org>
	<4E9FFAAB.2060802@gentoo.org>
	<CA+NrkpdPq0cPxBwLoDzL=z==oyVy5aLdQiZH2Wfa2dyPQqwpjA@mail.gmail.com>
Date: Thu, 20 Oct 2011 08:41:55 -0400
X-Google-Sender-Auth: i7rmxA9_0y-fFavTBY5Ksd52Eus
Message-ID: <CAGfcS_mJfEQBR+VCpMhXgLJPr-XRk1q7066yqZD6-+JPH3_19g@mail.gmail.com>
Subject: Re: [gentoo-dev] Moving more hardening features to default?
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: f3d354cb992eb2f5ed8127a7615974d2

2011/10/20 Tom=C3=A1=C5=A1 Chv=C3=A1tal <scarabeus@gentoo.org>:
> I would say that most hardened features should be merged to to main
> profile as soon as they won't cause major PITA for the regular users.

I agree - especially for stuff that doesn't require active setup
(stack protection, PaX, etc).

If there are features that we could turn on but for a few packages,
maybe the solution there is to discuss them on-list and target them
for future adoption and make an effort to fix the impacted ebuilds.
Fix could mean either making the package work with the hardened
feature, or disabling it just for that package (filter-flags, tag
binaries not to run with features, etc).

The hardened profile can still of course be the place where we push
the envelope at the cost of more packages being masked, and there will
always be things like MAC that represent a big change in how a system
is run that will take a long time to become mainstream.

Rich