From 12e357ceeef0f3a4e17da01a0cf7591b629ca63b Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Wed, 29 Nov 2017 23:03:11 +0100 Subject: Add 17.0 profiles news item --- .../2017-11-30-new-17-profiles.en.txt | 50 ++++++++++++++++++++++ .../2017-11-30-new-17-profiles.en.txt.asc | 19 ++++++++ 2 files changed, 69 insertions(+) create mode 100644 2017-11-30-new-17-profiles/2017-11-30-new-17-profiles.en.txt create mode 100644 2017-11-30-new-17-profiles/2017-11-30-new-17-profiles.en.txt.asc (limited to '2017-11-30-new-17-profiles') diff --git a/2017-11-30-new-17-profiles/2017-11-30-new-17-profiles.en.txt b/2017-11-30-new-17-profiles/2017-11-30-new-17-profiles.en.txt new file mode 100644 index 0000000..0ac7d5e --- /dev/null +++ b/2017-11-30-new-17-profiles/2017-11-30-new-17-profiles.en.txt @@ -0,0 +1,50 @@ +Title: New 17.0 profiles in the Gentoo repository +Author: Andreas K. Hüttel +Posted: 2017-11-30 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Installed: >=sys-devel/gcc-6.4.0 + +We have just added (for all arches except arm and mips, these follow +later) a new set of profiles with release version 17.0 to the Gentoo +repository. These bring three changes: +1) The default C++ language version for applications is now C++14. + This change is mostly relevant to Gentoo developers. It also + means, however, that compilers earlier than GCC 6 are masked + and not supported for use as a system compiler anymore. Feel + free to unmask them if you need them for specific applications. +2) Where supported, GCC will now build position-independent + executables (PIE) by default. This improves the overall + security fingerprint. The switch from non-PIE to PIE binaries, + however, requires some steps by users, as detailed below. +3) Up to now, hardened profiles were separate from the default + profile tree. Now they are moving into the 17.0 profile + as a feature there, similar to "no-multilib" and "systemd". + +Please migrate away from the 13.0 profiles within the six weeks after +GCC 6.4.0 has been stabilized on your architecture. The 13.0 profiles +will be deprecated then and removed in half a year. + +If you are not already running a hardened setup with PIE enabled, then +switching the profile involves the following steps: +If not already done, +* Use gcc-config to select gcc-6.4.0 or later as system compiler +* Re-source /etc/profile: + . /etc/profile +* Re-emerge libtool + emerge -1 sys-devel/libtool +Then, +* Select the new profile with eselect +* Re-emerge, in this sequence, gcc, binutils, and glibc + emerge -1 sys-devel/gcc:6.4.0 + emerge -1 sys-devel/binutils + emerge -1 sys-libs/glibc +* Rebuild your entire system + emerge -e @world + +Switching the profile from 13.0 to 17.0 modifies the settings of +GCC 6 to generate PIE executables by default; thus, you need to do +the rebuilds even if you have already used GCC 6 beforehand. +If you do not follow these steps you may get spurious build +failures when the linker tries unsuccessfully to combine non-PIE +and PIE code. diff --git a/2017-11-30-new-17-profiles/2017-11-30-new-17-profiles.en.txt.asc b/2017-11-30-new-17-profiles/2017-11-30-new-17-profiles.en.txt.asc new file mode 100644 index 0000000..4f1f79c --- /dev/null +++ b/2017-11-30-new-17-profiles/2017-11-30-new-17-profiles.en.txt.asc @@ -0,0 +1,19 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQKTBAABCgB9FiEEwo/LD3vtE3qssC2JpEzzc+fumeQFAlofLntfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMy +OEZDQjBGN0JFRDEzN0FBQ0IwMkQ4OUE0NENGMzczRTdFRTk5RTQACgkQpEzzc+fu +meSTSxAAzuipE/owKHTuhqo4kBtvcXHhEXRrXnQWH9fYQWYmf6t0FX/Am3/Vuf6g +BXzojK9RAr6xzT38L6EzVgVLd/BCNQEcmqs7IUP7Q76M8wbzUZI0oX38z+GIbg5d +xYKMZRiPHM3RgARKNY3x0OKJSmDm3wBVpz5lub41qy+4Yr7VeQn+pfmJugK2wohy +iwODyjnEe+N9QE+92Qb2icskMjgxdg++aithY/W0t0Nn23b5WrnvgkQF22AEsGf5 +yf7ooqdo6S4JCSZ2zoVsACmZwax6lFSpZ0dE+3T4idKfrHLkS3JqunfBzpWfhIK0 +S71o/xkwYfDJUQpM5+A5H3t1TlZg1Kgn7k+wP6MRd8Dm3IV7098NdxAjCPPcKe0I +lEZXTSOq47DvV7seHGxLITY1yoFUnwF4v4BxzMxnLkV9KFfptb3yreAChrUuQz0P +SRohrbiEk5tKlSwkIHw/CDvoC7gpUFfQY/h745FFZ2O8SuBibE5MP9iHwCSFP0a3 +wYQU2mcqoNwJXOFhJivljUJLoieWvgzbQ319JTmvEBMTH0Qs0vklQ3QuGYqG9zUS +pOC0GkBXbC1/QVBcuuAW0m0x/Z9GIG4u057gQYpB9m6AJ2FI5WCDGTYwh2VkBKs1 +Q86pZrNmI3B8JK9krYZS8c0tmRNl4eMKGIIUyd4WbErtICnADw8= +=U4Gj +-----END PGP SIGNATURE----- -- cgit v1.2.3-65-gdbad