hardened/linux/amd64 vs default/linux/amd64/17.0/hardened?

[Philippe23]

Little confused about the Nov 30th enews (" New 17.0 profiles in the Gentoo repository") as it relates to the non-17.0 hardened profiles....

1. What's the difference between the default/linux/amd64/17.0/hardened and hardened/linux/amd64 profiles?
   
2. Is hardened/linux/amd64 under the same 6-months-to-live as the 13.0 profiles?
   
3. I'm on hardened/linux/amd64, should I be moving to the .../17.0/hardened in the short term?
   

[brendlefly62]

See this thread https://forums.gentoo.org/viewtopic-t-1062792-highlight-.html

Cheers

[Philippe23]

Direct link to what I assume brendlefly62 was referencing from Oct 25th: https://forums.gentoo.org/viewtopic-p-8134240.html#8134240

I'm so confused because default/linux/amd64/17.0/hardened was added just a few weeks before that (Oct 7th): https://github.com/gentoo/gentoo/commit/e3f1d1330ef365769d7f7bf699c9ee6946192244#diff-a8fa01e66f4ad5b78a37dcd2b31a79df

And it was just added to eselect 2-days ago, which doesn't seem like something that's "going away", but the profile discussion is muddled with the grsec kernel patches going away in that post.

[brendlefly62]

Philippe23 - yes there are two parts to the thread above. My question there was about the future of hardened in gentoo's line of profiles. Short version of the answer was that it continues, but it is moved as you observed in your original post above. My take from 30 November news item was yes, migrate. I suppose the easy way to see the implications would be to use eselect and run emerge --info ( without actually merging anything of course)

I am also concerned about the security implications of the non-availability of grsec from upstream, but that is a separate issue

All that said, I to still have my original question about the future of hardened in Gentoo's line of profiles, and would like to know if we will continue to see it as hardened/arch as well as arch/17.0/hardened.

[Hu]

[Philippe23]

I switched to the new .../17.0/hardened profile and the only difference I ran into was that berkdb wasn't set (I have an explicit -gdbm, so that might be the default in .../17.0/hardened), and I had to enable tcpd, urandom, and session. Those were the only use flag changes. Seems that most of the core settings are the same (eg: hardened, pie, ssp).

[brendlefly62]

Good info, Philippe23, and thanks, Hu. I appreciate the disclaimer; I have the same disclaimer and less expertise/experience than you, and what you say should happen makes sense to me, but it's not obvious the that "hardened/linux/amd64" would disappear with 13.0, nor that it was built on the 13.0 profiles as you say. It existed among the choices in eselect before 13.0 appeared there. In the profile directory tree, "hardened" previously showed up only as a "peer level" alternative to "default", and since I've been using Gentoo, I've not seen hardened appear as a subdirectory of the numbered release under "default" in the directory tree. (I.e. I've been a "hardened" user, rather than a "hardened 13.0 user" since the latter has not really been a profile option. See extract of "eselect profile list" below) Now it's showing up under 17.0 as an alternative to "desktop, selinux, developer, no-multilib, systemd, and x32 -- but it is ALSO still showing up at the top of the tree as an alternative to "default" -- will that continue to be the case? I suspect/hope not, but I want to ask (as I presume does Philippe23)

[zorry]

The new Hardened 17.0 profile is using a a modular open system approach that can easily accommodate new profiles.
The main part of the profile is moved from hardened to features/hardened.
So now we just add sub profiles in the main default 17.0 profile. We have change some of the USE flag settings and set PaX makings to XATTR as default.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)