Based on my experience with switching to the hardened profile, after running "emerge --oneshot binutils gcc virtual/libc", shouldn't "gcc-config -l" followed by "gcc-config <version>" be performed to as to emerge system and world with the compiler that has PIE enabled? Although I had 4.5.2 installed prior, 4.4.3 was still selected. 4.5.2 was rebuilt with PIE enabled, but the 4.4.3 compiler was being used for all work. I believe a step should be added to ensure the compiler built with PIE is selected, and also that "gcc -v" should be run and have the user verify that the compiler reports something to the effect of "gcc version 4.5.2 (Gentoo Hardened 4.5.2 p1.1, pie-0.4.5)". Reproducible: Always Steps to Reproduce: 1.Follow instructions in code listing 2.3 2. 3. Actual Results: Currently selected gcc-config compiler will be used Expected Results: Compiled with PIE-enabled compiler
Thanks for the comment, I have updated it on the git repository so if the rest of the team agrees we will push this after the next meeting (if not earlier). Here is a preview of the current status: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=blob_plain;f=html/hardenedfaq.html;hb=HEAD#hardenedprofile
Looks good. My only suggestion might be to make SURE the user runs "source /etc/profile" if they have to select a new compiler with gcc-config. gcc-config does tell you to do this as part of it's output, but if they don't then the newly selected version of gcc won't be picked up for the system and world emerges. Of course, if you're doing the conversion to hardened, you should probably know enough to follow the instructions from any output anyway, right? :)
Fixed that too: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=blob_plain;f=html/hardenedfaq.html;h=1d6bbea895628ea1e4510beca7b747b7515164b9;hb=HEAD Thanks for the suggestions it is very reconforting hearing that somebody does read the docs :D
Since the fix is already published on the official docs I asked blueness to close this. Thanks blueness :D
