At some indeterminate time not too long ago, the hardened team took over maintenance of the new profile, and some users are receiving notification to update their obsolete profile to the new one. So, lets update my Hardened AMD64 laptop and see what happens.
Switching Profiles
Initially, my laptop was set up using the old hardened amd64 multilib profile:
Current make.profile symlink: hardened/amd64/multilibI switched to the new profile, under the hardened/linux tree:
platypus ~ # eselect profile set 20 platypus ~ # eselect profile show Current make.profile symlink: hardened/linux/amd64/10.0And ran
platypus ~ # emerge --newuse --verbose --deep --ask @worldI got a ton of hits -- 111 reinstalls and 20 new installs -- but the actual changes in my profile were really quite minor.
Multilib
The most obvious change here is that multilib is now the default state for a hardened profile. If you want a non-multilib amd64 system, you need to pick the no-multilib profile explicitly. This matches the non-hardened setup for the 10.0 profile, but is a change from the old hardened profile that had a separate multilib option.
Masked Packages
Just to get my complaining out of the way early: there's been no change in the set of masked packages between the overlays. Put another way, to get the latest working copies of hardebed gcc/glibc, and portage, you still need to manually unmask them. This makes me sad, especially the comment in the hardened/linux/package.mask file:
# No hardened >=sys-devel/gcc-4.4 available. >=sys-devel/gcc-4.4which is clearly contradicted by the fact that I've been using hardened gcc 4.4 for months. But that's a rant for another day.
USE Flag Changes
As you probably expect, most of the changes in the profile are in the default USE flags. One in particular causes a ton of reinstalls: the 'nls' USE flag is gone. I can't see any particular reason why nls would be removed from the new hardened profile, when it's present in both the non-hardened and old hardened ones. Since I don't really need nls, I'll just leave it out.
Besides removing nls from the default set, a number of flags were added, some of which seem a big strange. +iconv, +gpm, +gdbm, +pcre, and +ncurses seem like unusual choices to add to the default USE flag set, especially given how few packages use them. I already had +python and +perl in my global USE flags, and +prce in a few package.use entries, so I got to remove those. Finally, I can see a decent argument why the +acl should be present on hardened system; but I don't build ACL support into my kernel, so this one's getting turned back off.
Conclusion
Overall the switch was pretty painless. Had I been in a hurry, adding +nls to my global USE flags would have cut down the package reinstalls to less than 20. I'd like to see more progress toward getting hardened gcc/glibc up to date, but otherwise, thumbs up to the new official hardened profile.
0 comments:
Post a Comment