From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Pza83-0008HK-HB for garchives@archives.gentoo.org; Tue, 15 Mar 2011 19:42:03 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 34CACE05A5; Tue, 15 Mar 2011 19:40:41 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id DECA4E05A5 for ; Tue, 15 Mar 2011 19:40:40 +0000 (UTC) Received: by wwj40 with SMTP id 40so1270280wwj.10 for ; Tue, 15 Mar 2011 12:40:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:reply-to:user-agent :mime-version:to:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=7yx5+AyJTHAuNWINzs7kjbU41G+0yaWEzYAegxNDbsI=; b=kXqnms3ozqHzedj+S3cqB/6mjpmjZDSMMTsmkWIFoSjvGi9aBEhgwKkQ2LPUs49hIr D4BKFvcbqBEtybEHKiNsbXr6RH88w3ZqnMPqqjHr8bpYS1q8TUpl3GLqudw+8vYKrv1j rTViNoIlZNxKDsXu+FyBn8UbnQ2SpFXDsKr3M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; b=RDbjlRCnROCliK+qjwT/x8v71BvdJ8o4p4813D/LX8Z1Ur4Y598YRaKYob/RO4KS7W DghvQIAJzyqX+CDej9fioF9W+1tG0Yj6pXSTDvJL/bER+gFfhNCLHKtin3+s+6vUaBQa BY6eOXJ6VcKKp5myiQWpROTe4jAAPt5Tr4uI8= Received: by 10.227.140.77 with SMTP id h13mr12891670wbu.217.1300218039979; Tue, 15 Mar 2011 12:40:39 -0700 (PDT) Received: from [172.20.0.4] ([196.215.144.10]) by mx.google.com with ESMTPS id y29sm144492wbd.16.2011.03.15.12.40.38 (version=SSLv3 cipher=OTHER); Tue, 15 Mar 2011 12:40:39 -0700 (PDT) Message-ID: <4D7FC0BE.7090701@gmail.com> Date: Tue, 15 Mar 2011 21:40:46 +0200 From: Alan McKinnon User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110308 Lightning/1.0b3pre Thunderbird/3.1.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Switching to a hardened profile and back again References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: b13f5c6d43aae6fa1957fcc3062654e3 On 15/03/11 20:05, Grant wrote: > A dev is asking me to switch to a hardened profile in order to test a > fix. I'm happy to go through the process, but is there a chance my > laptop could be unusable after the switch? If that happens I'll be in > real trouble. Will I be able to switch back to a non-hardened profile > afterward? I plan to follow this guide: > > http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile > > BTW, are emerge -e world and emerge -e system both necessary? I > thought emerge -e world would rebuild everything. emerge -e world does remerge everything, but not in the order you'd expect. try it with -p, you'll see that glibc and gcc are near the end. You want them at the beginning, so that the hardened system is built by a compiler and libc that is hardened as well as the rest of the toolchain. Now whereas a compiler can in theory be told to generate any kind of code for anything, including hard code when it itself is not hard, can you really be sure it actually will do that? Plus the rest of the toolchain too. The only certain way is to build a hardened toolchain then rebuild the entire system with it. emerge -e system ; emerge -e world is not the fastest route of minimal compilation effort, but it sure is the easiest for the human in charge: one line in bash, press enter, walk away. -- alan dot mckinnon at gmail dot com