Hello, so I've been running Gentoo Hardened for a few years on my laptop, my desktop, and a server made from an older desktop.
Because of Grsecurity closing access to its source to non-subscribers, I decided that I would just try to stick with Gentoo-sources and harden the default profile and follow the KSSP guidelines to get as close as possible without losing the testing kernel. Because of this, I no longer used the PaX features and decided switch to the default profile and enabling my own flags. I enabled pie, ssp, and appended my CFLAGS with -fstack-protector-all and LDFLAGS with full RELRO support (and --sort-common). I saw that GCC still uses the FORTIFY patch so I didn't need to add that. So far I've had absolutely no issues with this setup but I was trying to see if there's anything else I could do to bridge it closer to where it was and noticed that there are several warnings against this as it could break packages (including glibc). I've had no breakages myself that are visable at least and no build failures. So I was just wondering if ~arch is ready for more secure defaults on the 17.0 profiles in the linker flags. There are several distributions which ship RELRO by default and I am not aware of any performance issues regarding this. At least to me it shouldn't be warned against unless there are lots of build failures these days. Of course though, I'm not a dev and would like to see your perspective on this. Thank you, Michael Brinkman
