From: Brian Davis <bridavis@comcast.net>
To: Brian Davis <bridavis@comcast.net>
Cc: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Simplified apache2
Date: Thu, 14 Sep 2006 17:49:23 -0400 [thread overview]
Message-ID: <4509CE63.5070802@comcast.net> (raw)
In-Reply-To: <45098BC8.8080201@comcast.net>
I think I've answered my own question:
On my system, gzip is the only package that contains the pic USE flag.
Looking at the ebuild, the pic USE flag is used to tell the system not
to use the assembler code optimizations.
Presumably, assembler code can't be relocated.
Thanks,
Brian
Brian Davis wrote:
>
>
> Rumen Yotov wrote:
>> Hi,
>> On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
>> James <wireless@tampabay.rr.com> wrote:
>>
>>> Ryan Tandy <tarpman <at> gmail.com> writes:
>>>
>>>
>>>
>>>> Michael Crute wrote:
>>>>
>>>>> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
>>>>> python readline"
>>>>>
>> You could omit "pic" here IIRC (on a hardened profile) "hardened"
>> includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
>> If using a vanilla (desktop & server) profile you'll need 'pie' as well.
>> Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
>>
> I have a question on this, why would a package have to use a pic USE
> flag if all that was needed was to complie with -fpic?
>
>>> Ok,
>>> So I'll test your suggestions. The more minimized the global flags
>>> are, the more secure the server.
>>>
>>>
>> +1
>> Could also check the flags in "hardened" profile.
>>
>>>> Also, be careful using the hardened flag without running the
>>>> hardened profile. The hardened profile masks out a couple of
>>>> packages and flags that don't work so well on a hardened system.
>>>>
>> +1
>>
>>> Hmmmm,
>>>
>>> Not sure I fully grasp what you mean by a 'hardened system'. If you
>>> mean running a hardened kernel with only necessary software
>>> installed, then yes, I run hardened kernels on most servers {dns,
>>> web, mail, firwalls....}
>>>
>>> If running a hardened system means more than that, please explain,
>>> or point me to some docs.
>>>
>> Check hardened docs page on w.g.o, in short hardened means a kernel
>> with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
>> or SELinux and all user-land build with SSP,pic,pie (IMHO).
>>
>>>> BTW, the flags with underscores in them (kernel_linux,
>>>> userland_GNU, elibc_glibc, video_cards_radeon and such) are known
>>>> as USE_EXPAND or expanded USE flags.
>>> This is nice to know. I did not get the memo on this.
>>> Any docs for further reading you can point me to?
>>>
>>>
>> ...SKIP...
>>
>>> James
>>>
>> HTH.Rumen
>>
>
--
gentoo-user@gentoo.org mailing list
next prev parent reply other threads:[~2006-09-14 21:56 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-12 13:40 [gentoo-user] Simplified apache2 James
2006-09-12 15:08 ` Michael Crute
2006-09-12 15:36 ` [gentoo-user] " James
2006-09-12 23:27 ` [gentoo-user] " Ryan Tandy
2006-09-13 12:36 ` [gentoo-user] " James
2006-09-13 13:20 ` Rumen Yotov
2006-09-14 17:05 ` Brian Davis
2006-09-14 21:49 ` Brian Davis [this message]
2006-09-13 13:50 ` Michael Crute
2006-09-13 17:01 ` Bo Ørsted Andresen
2006-09-13 17:52 ` Stefan G. Weichinger
2006-09-13 18:08 ` Neil Bothwick
2006-09-13 19:13 ` Daniel da Veiga
2006-09-13 21:11 ` Harm Geerts
2006-09-13 5:07 ` [gentoo-user] " Michael Stewart (vericgar)
2006-09-13 13:45 ` Michael Crute
2006-09-15 0:17 ` Michael Stewart (vericgar)
2006-09-13 18:17 ` Brian Davis
2006-09-14 2:41 ` [gentoo-user] " James
-- strict thread matches above, loose matches on Subject: below --
2006-09-14 2:51 bridavis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4509CE63.5070802@comcast.net \
--to=bridavis@comcast.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox