On 3/15/2011 2:05 PM, Grant wrote: > A dev is asking me to switch to a hardened profile in order to test a > fix. I'm happy to go through the process, but is there a chance my > laptop could be unusable after the switch? If that happens I'll be in > real trouble. Will I be able to switch back to a non-hardened profile > afterward? I plan to follow this guide: > > http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
First off, is there a reason you want to switch back to non-hardened? I run hardened on all my machines by default; almost every package in portage is now hardened-aware and builds/runs correctly. For those few that don't, there's paxctl and/or softmode (looking at you, openoffice) I've gone both ways with no real issues; though admittedly not on the same machine :) I'm assuming you're including a switch to a hardened kernel as part of this. That's the biggest possible source of problems: if you have a PAX-enabled kernel then all of your binaries need to be built by the hardened tool chain, or there is a decent chance they'll fail. Definitely follow the FAQ for the details, but the basic process should be: * switch profiles -> hardened * emerge gcc glibc binutils * emerge @system * emerge @world * build then boot hardened kernel * <test test test test test> * boot non-hardened kernel * switch profiles -> non-hardened * emerge gcc glibc binutils * emerge @system * emerge @world Note that the emerge @world emerges are definitely overkill time-wise but much, much safer and simpler unless you are very aware of what you're doing, what the packages are doing, how hardened's features interact, etc. Also, when building your PAX kernel, MAKE SURE YOU INCLUDE SOFTMODE SUPPORT That way, if something misbehaves and you can't fix it you can enable soft mode and PAX will stop killing things on you. > BTW, are emerge -e world and emerge -e system both necessary? I > thought emerge -e world would rebuild everything. IIRC, @system is not in @world unless you put it there yourself. (This might depend on your portage version, though). --Mike
