--- wikisrc/pkgsrc/hardening.mdwn	2017/11/05 23:54:11	1.23
+++ wikisrc/pkgsrc/hardening.mdwn	2017/11/06 00:04:07	1.24
@@ -11,9 +11,15 @@ Mechanisms can be enabled individually i
 individually described below.  They are sorted by whether thery are
 enabled by default, and then by their ordering in mk/defaults/mk.conf.
 
-For each, see the Caveats section below for an explanation of what
-might go wrong at compile time and at run time, and how to notice and
-address these problems.
+Typically, a feature will cause some programs to fail to build or work
+when first enabled.  This can be due to latent problems in the
+program, and can be due to other reasons.  After enough testing to
+have confidence that user problems will be quite rare, individual
+mechanisms will be enabled by default.
+
+For each mechanism, see the Caveats section below for an explanation
+of what might go wrong at compile time and at run time, and how to
+notice and address these problems.
 
 ## Enabled by default in the stable branch
 
@@ -61,6 +67,13 @@ this means NetBSD 8 and later, i386 and 
 This also makes the exploitation of some security vulnerabilities more
 difficult in some cases.
 
+TODO: Explain gcc vs clang, and whether this has broad support or just
+a few platforms.
+
+TODO: Address "partial" vs "full"; which is this?
+
+TODO: Give a link to a comprehensive explanation.
+
 ### PKGSRC_USE_STACK_CHECK
 
 This uses `-fstack-check` with GCC for another stack protection