I am installing a personal server with hardened gentoo, once I finished and had it running, I thought that it would be even more secure if I completelly remove gcc package from the system, so even in a break in attempt, they can't compile nothing. Of course, previously creating a pkg for it, so I can continue using gcc for updates later when needed. So I ran: quickpkg sys-devel/gcc And after emerge -C gcc... I discovered that libstdc++ was being kept as it is a dependency of other programs (I thought that it was on glibc not on gcc's library). So in order to add security, and to be on par with other distros (in which you see they have that library splitted out of gcc), is it reasonable to split libstdc++ package out of gcc's one? (like a new ebuild, or the like) Reproducible: Always
Not really. Maybe you could just remove the binaries.
(In reply to Ryan Hill from comment #1) > Not really. Maybe you could just remove the binaries. It may be possible in the future, using portage, to identify libraries that we need to leave behind when unmerging a package. I'm cc-ing zmedico because he has been working on consumer/provide code in portage to track this sort of information in the linkage map. Maybe an option in portage like --safe-unmerge which is not a sledgehammer like --unmerge, but also not as restrictive as --depclean. --safe-unmerge = "remove the package and don't worry about dependencies, but leave behind any files that other packages report as needed for consumption, and don't orphan these extra files either, but keep track of them in case I want to clean them up later." I do see merit in the reporter's request. In the past, when I've mastered things like amazonaws images, I've just followed Ryan's approach and deleted binaries which hand baked scripts. But having this in portage might be nice. @zmedico. This might be something that easily comes out of what you've been doing without much extra work. What do you think? (Thinking out loud.)
