2011/10/20 Tomáš Chvátal <scarab...@gentoo.org>: > I would say that most hardened features should be merged to to main > profile as soon as they won't cause major PITA for the regular users.
I agree - especially for stuff that doesn't require active setup (stack protection, PaX, etc). If there are features that we could turn on but for a few packages, maybe the solution there is to discuss them on-list and target them for future adoption and make an effort to fix the impacted ebuilds. Fix could mean either making the package work with the hardened feature, or disabling it just for that package (filter-flags, tag binaries not to run with features, etc). The hardened profile can still of course be the place where we push the envelope at the cost of more packages being masked, and there will always be things like MAC that represent a big change in how a system is run that will take a long time to become mainstream. Rich
