> But, after we drop PT_PAX, this is only *worse* for the people in > (1.a). That's a much smaller group than /everyone/ who switches to > hardened.
There seems to be the theoretical possibility of dropping XT_PAX instead of PT_PAX. The correct work of PAX markings would then not depend on the file system used. Therefore users with and without capable file systems could switch to hardened freely, since all the pax-markings would have been succeessfully applied to the executables. I am only a user of Gentoo Hardened (amd64) and do not know, why that option seems would not be a viable path. Is it because of self-checking binary blobs? Perhaps, it should be at least a valid choice to not drop (legacy?) PT_PAX markings - just in case you want to use hardened without xattr or want to upgrade from vanilla. -- Allan Wegan
signature.asc
Description: OpenPGP digital signature
