[gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[basile]

Hi, a have a couple of question is for Gordon and Nedd regarding 
rebuilding an entire desktop system with emerge -e world, both amd64 and 
i686.   I'm mostly worried about the security implications of the 
choices I'm making and I'm not 100% sure of my understanding.

1) Regarding choice of compiler.  gcc-config -l gives

 [1] x86_64-pc-linux-gnu-3.4.6
 [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
 [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
 [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
 [5] x86_64-pc-linux-gnu-3.4.6-vanilla
 [6] x86_64-pc-linux-gnu-4.1.2

My understanding is that [1] is fully hardened and that [2]-[5] are 
exactly what they say, respectively no pie, no pie nor ssp, no ssp and 
fully vanilla.  My confusion is about 4.1.2.  What hardening is present 
in it?  (Did some hardening which wasn't present in gcc-3 make it to 
gcc-4 vanilla?)  What's the best practice here?


2) Regarding the choice of profiles on amd64.  I have

  [6]   hardened/amd64
  [7]   hardened/amd64/multilib *
  [10]  hardened/linux/amd64

I'm using the multilib and I'm wondering what the security implications 
of this decision.  Also, should I be thinking about the newer [10] on 
amd64?  What about the similar choice on i686?

Thanks guys.

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197

Re: [gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[Thomas Sachau]

[-- Attachment #1: Type: text/plain, Size: 1739 bytes --]

basile schrieb:
> 
> Hi, a have a couple of question is for Gordon and Nedd regarding
> rebuilding an entire desktop system with emerge -e world, both amd64 and
> i686.   I'm mostly worried about the security implications of the
> choices I'm making and I'm not 100% sure of my understanding.
> 
> 1) Regarding choice of compiler.  gcc-config -l gives
> 
> [1] x86_64-pc-linux-gnu-3.4.6
> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
> [6] x86_64-pc-linux-gnu-4.1.2
> 
> My understanding is that [1] is fully hardened and that [2]-[5] are
> exactly what they say, respectively no pie, no pie nor ssp, no ssp and
> fully vanilla.  My confusion is about 4.1.2.  What hardening is present
> in it?  (Did some hardening which wasn't present in gcc-3 make it to
> gcc-4 vanilla?)  What's the best practice here?

You are right with gcc-3.4.6-r2. How did you install gcc-4? It should be masked as that version does
not have any builtin hardened features, so is only a normal, none-hardened gcc-4.1.2

> 
> 
> 2) Regarding the choice of profiles on amd64.  I have
> 
>  [6]   hardened/amd64
>  [7]   hardened/amd64/multilib *
>  [10]  hardened/linux/amd64
> 
> I'm using the multilib and I'm wondering what the security implications
> of this decision.  Also, should I be thinking about the newer [10] on
> amd64?  What about the similar choice on i686?
> 
> Thanks guys.
> 

What security implications should be there?
The newer [10] is still experimental and may change without warning. Use either [6] or [7] for now.

-- 
Thomas Sachau

Gentoo Linux Developer


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: [gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[Mansour Moufid]

On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@gentoo.org> wrote:
> basile schrieb:
>>
>> Hi, a have a couple of question is for Gordon and Nedd regarding
>> rebuilding an entire desktop system with emerge -e world, both amd64 and
>> i686.   I'm mostly worried about the security implications of the
>> choices I'm making and I'm not 100% sure of my understanding.
>>
>> 1) Regarding choice of compiler.  gcc-config -l gives
>>
>> [1] x86_64-pc-linux-gnu-3.4.6
>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
>> [6] x86_64-pc-linux-gnu-4.1.2
>>
>> My understanding is that [1] is fully hardened and that [2]-[5] are
>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and
>> fully vanilla.  My confusion is about 4.1.2.  What hardening is present
>> in it?  (Did some hardening which wasn't present in gcc-3 make it to
>> gcc-4 vanilla?)  What's the best practice here?
>
> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should be masked as that version does
> not have any builtin hardened features, so is only a normal, none-hardened gcc-4.1.2

This can happen when using a non-hardened stage3 tarball during the
install, then switching to the hardened profile later.

I've noticed it's not immediately clear where to get hardened stages
in the documentation. For those wondering, the mirror URL can be found
in the topic on #gentoo-hardened, i.e.:
http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/

>
>>
>>
>> 2) Regarding the choice of profiles on amd64.  I have
>>
>>  [6]   hardened/amd64
>>  [7]   hardened/amd64/multilib *
>>  [10]  hardened/linux/amd64
>>
>> I'm using the multilib and I'm wondering what the security implications
>> of this decision.  Also, should I be thinking about the newer [10] on
>> amd64?  What about the similar choice on i686?
>>
>> Thanks guys.
>>
>
> What security implications should be there?
> The newer [10] is still experimental and may change without warning. Use either [6] or [7] for now.
>
> --
> Thomas Sachau
>
> Gentoo Linux Developer
>
>

-- 
Mansour Moufid
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDF2862BA

Re: [gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[basile]

Mansour Moufid wrote:
> On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@gentoo.org> wrote:
>   
>> basile schrieb:
>>     
>>> Hi, a have a couple of question is for Gordon and Nedd regarding
>>> rebuilding an entire desktop system with emerge -e world, both amd64 and
>>> i686.   I'm mostly worried about the security implications of the
>>> choices I'm making and I'm not 100% sure of my understanding.
>>>
>>> 1) Regarding choice of compiler.  gcc-config -l gives
>>>
>>> [1] x86_64-pc-linux-gnu-3.4.6
>>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
>>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
>>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
>>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
>>> [6] x86_64-pc-linux-gnu-4.1.2
>>>
>>> My understanding is that [1] is fully hardened and that [2]-[5] are
>>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and
>>> fully vanilla.  My confusion is about 4.1.2.  What hardening is present
>>> in it?  (Did some hardening which wasn't present in gcc-3 make it to
>>> gcc-4 vanilla?)  What's the best practice here?
>>>       
>> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should be masked as that version does
>> not have any builtin hardened features, so is only a normal, none-hardened gcc-4.1.2
>>     
>
> This can happen when using a non-hardened stage3 tarball during the
> install, then switching to the hardened profile later.
>
> I've noticed it's not immediately clear where to get hardened stages
> in the documentation. For those wondering, the mirror URL can be found
> in the topic on #gentoo-hardened, i.e.:
> http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/
>
>   

I followed a variation of the upgrade process discussed here:

http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml

The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1

I understand that its a VERY EARLY draft, but it proceeded without any 
problems on both i686 and amd64.  I'm pretty sure I didn't loose PIE, 
but I'm not so sure about SSP.  I'm playing around now with 
-fstack-protector-all in my CFLAGS.


>>> 2) Regarding the choice of profiles on amd64.  I have
>>>
>>>  [6]   hardened/amd64
>>>  [7]   hardened/amd64/multilib *
>>>  [10]  hardened/linux/amd64
>>>
>>> I'm using the multilib and I'm wondering what the security implications
>>> of this decision.  Also, should I be thinking about the newer [10] on
>>> amd64?  What about the similar choice on i686?
>>>
>>> Thanks guys.
>>>
>>>       
>> What security implications should be there?
>> The newer [10] is still experimental and may change without warning. Use either [6] or [7] for now.
>>
>> --
>> Thomas Sachau
>>
>> Gentoo Linux Developer
>>
>>     
I remember reading about lots of security bugs with emulating 
libraries.  I just googled for it to remind myself.  So I'm wondering 
whether profile 6 is better than 7. 

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197

Re: [gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[Ned Ludd]

On Sun, 2009-04-19 at 20:59 -0400, basile wrote:
> Mansour Moufid wrote:
> > On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@gentoo.org> wrote:
> >   
> >> basile schrieb:
> >>     
> >>> Hi, a have a couple of question is for Gordon and Nedd regarding
> >>> rebuilding an entire desktop system with emerge -e world, both amd64 and
> >>> i686.   I'm mostly worried about the security implications of the
> >>> choices I'm making and I'm not 100% sure of my understanding.
> >>>
> >>> 1) Regarding choice of compiler.  gcc-config -l gives
> >>>
> >>> [1] x86_64-pc-linux-gnu-3.4.6
> >>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
> >>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
> >>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
> >>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
> >>> [6] x86_64-pc-linux-gnu-4.1.2
> >>>
> >>> My understanding is that [1] is fully hardened and that [2]-[5] are
> >>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and
> >>> fully vanilla.  My confusion is about 4.1.2.  What hardening is present
> >>> in it?  (Did some hardening which wasn't present in gcc-3 make it to
> >>> gcc-4 vanilla?)  What's the best practice here?
> >>>       
> >> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should be masked as that version does
> >> not have any builtin hardened features, so is only a normal, none-hardened gcc-4.1.2
> >>     
> >
> > This can happen when using a non-hardened stage3 tarball during the
> > install, then switching to the hardened profile later.
> >
> > I've noticed it's not immediately clear where to get hardened stages
> > in the documentation. For those wondering, the mirror URL can be found
> > in the topic on #gentoo-hardened, i.e.:
> > http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/
> >
> >   
> 
> I followed a variation of the upgrade process discussed here:
> 
> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
> 
> The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1
> 
> I understand that its a VERY EARLY draft, but it proceeded without any 
> problems on both i686 and amd64.  I'm pretty sure I didn't loose PIE, 
> but I'm not so sure about SSP.  I'm playing around now with 
> -fstack-protector-all in my CFLAGS.
> 
> 
> >>> 2) Regarding the choice of profiles on amd64.  I have
> >>>
> >>>  [6]   hardened/amd64
> >>>  [7]   hardened/amd64/multilib *
> >>>  [10]  hardened/linux/amd64
> >>>
> >>> I'm using the multilib and I'm wondering what the security implications
> >>> of this decision.  Also, should I be thinking about the newer [10] on
> >>> amd64?  What about the similar choice on i686?
> >>>
> >>> Thanks guys.
> >>>
> >>>       
> >> What security implications should be there?
> >> The newer [10] is still experimental and may change without warning. Use either [6] or [7] for now.
> >>
> >> --
> >> Thomas Sachau
> >>
> >> Gentoo Linux Developer
> >>
> >>     
> I remember reading about lots of security bugs with emulating 
> libraries.  I just googled for it to remind myself.  So I'm wondering 
> whether profile 6 is better than 7. 

Either is fine. 

[6] might be better for a server where space is a concern. better for
extreme paranoia.
[7] is the only real choice if you plan to use X at all.

If you were on #10 then it's best to switch to #7 also.

# to update the installed gcc:4.x also.
ACCEPT_KEYWORDS="*~" emerge -pvq gcc

Re: [gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[Thomas Sachau]

[-- Attachment #1: Type: text/plain, Size: 3423 bytes --]

basile schrieb:
> Mansour Moufid wrote:
>> On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@gentoo.org> wrote:
>>  
>>> basile schrieb:
>>>    
>>>> Hi, a have a couple of question is for Gordon and Nedd regarding
>>>> rebuilding an entire desktop system with emerge -e world, both amd64
>>>> and
>>>> i686.   I'm mostly worried about the security implications of the
>>>> choices I'm making and I'm not 100% sure of my understanding.
>>>>
>>>> 1) Regarding choice of compiler.  gcc-config -l gives
>>>>
>>>> [1] x86_64-pc-linux-gnu-3.4.6
>>>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
>>>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
>>>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
>>>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
>>>> [6] x86_64-pc-linux-gnu-4.1.2
>>>>
>>>> My understanding is that [1] is fully hardened and that [2]-[5] are
>>>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and
>>>> fully vanilla.  My confusion is about 4.1.2.  What hardening is present
>>>> in it?  (Did some hardening which wasn't present in gcc-3 make it to
>>>> gcc-4 vanilla?)  What's the best practice here?
>>>>       
>>> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should
>>> be masked as that version does
>>> not have any builtin hardened features, so is only a normal,
>>> none-hardened gcc-4.1.2
>>>     
>>
>> This can happen when using a non-hardened stage3 tarball during the
>> install, then switching to the hardened profile later.
>>
>> I've noticed it's not immediately clear where to get hardened stages
>> in the documentation. For those wondering, the mirror URL can be found
>> in the topic on #gentoo-hardened, i.e.:
>> http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/
>>
>>   
> 
> I followed a variation of the upgrade process discussed here:
> 
> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
> 
> The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1
> 
> I understand that its a VERY EARLY draft, but it proceeded without any
> problems on both i686 and amd64.  I'm pretty sure I didn't loose PIE,
> but I'm not so sure about SSP.  I'm playing around now with
> -fstack-protector-all in my CFLAGS.
> 
> 
>>>> 2) Regarding the choice of profiles on amd64.  I have
>>>>
>>>>  [6]   hardened/amd64
>>>>  [7]   hardened/amd64/multilib *
>>>>  [10]  hardened/linux/amd64
>>>>
>>>> I'm using the multilib and I'm wondering what the security implications
>>>> of this decision.  Also, should I be thinking about the newer [10] on
>>>> amd64?  What about the similar choice on i686?
>>>>
>>>> Thanks guys.
>>>>
>>>>       
>>> What security implications should be there?
>>> The newer [10] is still experimental and may change without warning.
>>> Use either [6] or [7] for now.
>>>
>>> -- 
>>> Thomas Sachau
>>>
>>> Gentoo Linux Developer
>>>
>>>     
> I remember reading about lots of security bugs with emulating
> libraries.  I just googled for it to remind myself.  So I'm wondering
> whether profile 6 is better than 7.

There may be open bugs with those emul-linux-* packages which currently provide some basic 32bit
libs, but they are not installed by using the profile nor are you forced to use them. If your
reading was about something different, please specify it.


-- 
Thomas Sachau

Gentoo Linux Developer


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: [gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[basile]

Thomas Sachau wrote:
> basile schrieb:
>   
>> Mansour Moufid wrote:
>>     
>>> On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@gentoo.org> wrote:
>>>  
>>>       
>>>> basile schrieb:
>>>>    
>>>>         
>>>>> Hi, a have a couple of question is for Gordon and Nedd regarding
>>>>> rebuilding an entire desktop system with emerge -e world, both amd64
>>>>> and
>>>>> i686.   I'm mostly worried about the security implications of the
>>>>> choices I'm making and I'm not 100% sure of my understanding.
>>>>>
>>>>> 1) Regarding choice of compiler.  gcc-config -l gives
>>>>>
>>>>> [1] x86_64-pc-linux-gnu-3.4.6
>>>>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
>>>>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
>>>>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
>>>>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
>>>>> [6] x86_64-pc-linux-gnu-4.1.2
>>>>>
>>>>> My understanding is that [1] is fully hardened and that [2]-[5] are
>>>>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and
>>>>> fully vanilla.  My confusion is about 4.1.2.  What hardening is present
>>>>> in it?  (Did some hardening which wasn't present in gcc-3 make it to
>>>>> gcc-4 vanilla?)  What's the best practice here?
>>>>>       
>>>>>           
>>>> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should
>>>> be masked as that version does
>>>> not have any builtin hardened features, so is only a normal,
>>>> none-hardened gcc-4.1.2
>>>>     
>>>>         
>>> This can happen when using a non-hardened stage3 tarball during the
>>> install, then switching to the hardened profile later.
>>>
>>> I've noticed it's not immediately clear where to get hardened stages
>>> in the documentation. For those wondering, the mirror URL can be found
>>> in the topic on #gentoo-hardened, i.e.:
>>> http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/
>>>
>>>   
>>>       
>> I followed a variation of the upgrade process discussed here:
>>
>> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
>>
>> The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1
>>
>> I understand that its a VERY EARLY draft, but it proceeded without any
>> problems on both i686 and amd64.  I'm pretty sure I didn't loose PIE,
>> but I'm not so sure about SSP.  I'm playing around now with
>> -fstack-protector-all in my CFLAGS.
>>
>>
>>     
>>>>> 2) Regarding the choice of profiles on amd64.  I have
>>>>>
>>>>>  [6]   hardened/amd64
>>>>>  [7]   hardened/amd64/multilib *
>>>>>  [10]  hardened/linux/amd64
>>>>>
>>>>> I'm using the multilib and I'm wondering what the security implications
>>>>> of this decision.  Also, should I be thinking about the newer [10] on
>>>>> amd64?  What about the similar choice on i686?
>>>>>
>>>>> Thanks guys.
>>>>>
>>>>>       
>>>>>           
>>>> What security implications should be there?
>>>> The newer [10] is still experimental and may change without warning.
>>>> Use either [6] or [7] for now.
>>>>
>>>> -- 
>>>> Thomas Sachau
>>>>
>>>> Gentoo Linux Developer
>>>>
>>>>     
>>>>         
>> I remember reading about lots of security bugs with emulating
>> libraries.  I just googled for it to remind myself.  So I'm wondering
>> whether profile 6 is better than 7.
>>     
>
> There may be open bugs with those emul-linux-* packages which currently provide some basic 32bit
> libs, but they are not installed by using the profile nor are you forced to use them. If your
> reading was about something different, please specify it.
>
>
>   
http://blog.flameeyes.eu/tag/multilib


-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197

Re: [gentoo-hardened] Some advise regarding recompiling an entire hardened systems

[Thomas Sachau]

[-- Attachment #1: Type: text/plain, Size: 3897 bytes --]

basile schrieb:
> Thomas Sachau wrote:
>> basile schrieb:
>>  
>>> Mansour Moufid wrote:
>>>    
>>>> On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@gentoo.org>
>>>> wrote:
>>>>  
>>>>      
>>>>> basile schrieb:
>>>>>           
>>>>>> Hi, a have a couple of question is for Gordon and Nedd regarding
>>>>>> rebuilding an entire desktop system with emerge -e world, both amd64
>>>>>> and
>>>>>> i686.   I'm mostly worried about the security implications of the
>>>>>> choices I'm making and I'm not 100% sure of my understanding.
>>>>>>
>>>>>> 1) Regarding choice of compiler.  gcc-config -l gives
>>>>>>
>>>>>> [1] x86_64-pc-linux-gnu-3.4.6
>>>>>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
>>>>>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
>>>>>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
>>>>>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
>>>>>> [6] x86_64-pc-linux-gnu-4.1.2
>>>>>>
>>>>>> My understanding is that [1] is fully hardened and that [2]-[5] are
>>>>>> exactly what they say, respectively no pie, no pie nor ssp, no ssp
>>>>>> and
>>>>>> fully vanilla.  My confusion is about 4.1.2.  What hardening is
>>>>>> present
>>>>>> in it?  (Did some hardening which wasn't present in gcc-3 make it to
>>>>>> gcc-4 vanilla?)  What's the best practice here?
>>>>>>                 
>>>>> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should
>>>>> be masked as that version does
>>>>> not have any builtin hardened features, so is only a normal,
>>>>> none-hardened gcc-4.1.2
>>>>>             
>>>> This can happen when using a non-hardened stage3 tarball during the
>>>> install, then switching to the hardened profile later.
>>>>
>>>> I've noticed it's not immediately clear where to get hardened stages
>>>> in the documentation. For those wondering, the mirror URL can be found
>>>> in the topic on #gentoo-hardened, i.e.:
>>>> http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/
>>>>
>>>>         
>>> I followed a variation of the upgrade process discussed here:
>>>
>>> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
>>>
>>> The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1
>>>
>>> I understand that its a VERY EARLY draft, but it proceeded without any
>>> problems on both i686 and amd64.  I'm pretty sure I didn't loose PIE,
>>> but I'm not so sure about SSP.  I'm playing around now with
>>> -fstack-protector-all in my CFLAGS.
>>>
>>>
>>>    
>>>>>> 2) Regarding the choice of profiles on amd64.  I have
>>>>>>
>>>>>>  [6]   hardened/amd64
>>>>>>  [7]   hardened/amd64/multilib *
>>>>>>  [10]  hardened/linux/amd64
>>>>>>
>>>>>> I'm using the multilib and I'm wondering what the security
>>>>>> implications
>>>>>> of this decision.  Also, should I be thinking about the newer [10] on
>>>>>> amd64?  What about the similar choice on i686?
>>>>>>
>>>>>> Thanks guys.
>>>>>>
>>>>>>                 
>>>>> What security implications should be there?
>>>>> The newer [10] is still experimental and may change without warning.
>>>>> Use either [6] or [7] for now.
>>>>>
>>>>> -- 
>>>>> Thomas Sachau
>>>>>
>>>>> Gentoo Linux Developer
>>>>>
>>>>>             
>>> I remember reading about lots of security bugs with emulating
>>> libraries.  I just googled for it to remind myself.  So I'm wondering
>>> whether profile 6 is better than 7.
>>>     
>>
>> There may be open bugs with those emul-linux-* packages which
>> currently provide some basic 32bit
>> libs, but they are not installed by using the profile nor are you
>> forced to use them. If your
>> reading was about something different, please specify it.
>>
>>
>>   
> http://blog.flameeyes.eu/tag/multilib
> 
> 

As i said: Only the library packages are the problem, not the profile itself.

-- 
Thomas Sachau

Gentoo Linux Developer


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]