From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-48314-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RGvnQ-0000GR-Vq
	for garchives@archives.gentoo.org; Thu, 20 Oct 2011 16:48:45 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 40DCC21C0F8;
	Thu, 20 Oct 2011 16:48:20 +0000 (UTC)
Received: from mail-bw0-f53.google.com (mail-bw0-f53.google.com [209.85.214.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 995E721C0E5
	for <gentoo-dev@lists.gentoo.org>; Thu, 20 Oct 2011 16:47:28 +0000 (UTC)
Received: by bke11 with SMTP id 11so4504022bke.40
        for <gentoo-dev@lists.gentoo.org>; Thu, 20 Oct 2011 09:47:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=IJk1dAEHpBnZkmC5c5sEV4wDPuBZlxj+0of2wM1/HBA=;
        b=g4WFzU2UVqmL+xHJOrXGN0vfATPVeATYLr8lquCOBzl0Av8fzLt+wo2AkPZKInDI+M
         9kBneFOJv3/FCzAv3hrO9ZhHR0Sm46KzoacQHlZTina+DKDgA4Pk1jnQ00H2vgB5dk/v
         zvFj+QKBG5Q+ZL349lTwaWsYVVjjhu/RkhLU0=
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.204.156.141 with SMTP id x13mr8489997bkw.54.1319129247738;
 Thu, 20 Oct 2011 09:47:27 -0700 (PDT)
Sender: freemanrich@gmail.com
Received: by 10.204.72.195 with HTTP; Thu, 20 Oct 2011 09:47:27 -0700 (PDT)
In-Reply-To: <4EA031F0.5080200@gentoo.org>
References: <4E9FE012.5080703@gentoo.org>
	<CA+NrkpdPq0cPxBwLoDzL=z==oyVy5aLdQiZH2Wfa2dyPQqwpjA@mail.gmail.com>
	<CAGfcS_mJfEQBR+VCpMhXgLJPr-XRk1q7066yqZD6-+JPH3_19g@mail.gmail.com>
	<201110200857.00687.vapier@gentoo.org>
	<4EA031F0.5080200@gentoo.org>
Date: Thu, 20 Oct 2011 12:47:27 -0400
X-Google-Sender-Auth: wuN3NuzM1cs1ndmSH3JUC4s_xqM
Message-ID: <CAGfcS_nVB-dRraBZcCaSuyR3Zqzifrw0KDO3PDbPiJ1YWAdLSQ@mail.gmail.com>
Subject: Re: [gentoo-dev] Moving more hardening features to default?
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 
X-Archives-Hash: be204029c1430714762c3a2bb833bf3f

On Thu, Oct 20, 2011 at 10:36 AM, Anthony G. Basile <blueness@gentoo.org> w=
rote:
> I would not recommend PaX at this time. =A0As Mike said, it breaks things=
,
> sometimes important things. =A0Eg. python ctypes was broken there for a
> while on hardened. =A0Also, unlike toolchain, it requires that you
> configure your kernel correctly, ie have familiarity with what works and
> what doesn't under certain PaX features. =A0This may be trivial for us,
> but might be more than we want to put newbies through.

I used it as an example because it is passive for the most part, and I
think most of the configuration could be handled by the ebuilds.

However, I didn't mean to suggest that it was ready to be made a
default.  If the list of broken packages were small enough I think
that it would be fair to consider it as a future default to work
towards.

I was trying to draw a contrast between passive things like
stack-protection and things that really get in your face like MAC.

Rich