On Wed, Oct 14, 2015 at 11:48:07PM -0400, Mike Frysinger wrote: > USE=xattr is needed nowadays to support: > - filesystem caps (those things that let you drop set*id and generally > improves system security w/little to no runtime overhead) > - PaX file markings (replaces binutils ELF markings) > - selinux > > we actually have USE=filecaps on by default already, and catalyst > hard requires tar[xattr] in order to work. the hardened profile > also package.use.force's this flag on for some core packages. > > not too many packages actually utilize this flag, and when they do, > it's to pull in the attr package which clocks in at <200 KiB. the > runtime overhead tends to be low to non-existent as xattrs tend to > be used only when requested. > > when support is not available in the FS or kernel, packages should > generally fall back gracefully. > > anyone opposed to flipping this flag on by default ? > > reference: > https://bugs.gentoo.org/506198 > https://bugs.gentoo.org/556408 > -mike
As part of the hardened and SELinux teams, definitely +1 from me. -- Jason
