--- wikisrc/pkgsrc/hardening.mdwn 2017/11/05 23:54:11 1.23 +++ wikisrc/pkgsrc/hardening.mdwn 2017/11/06 00:04:07 1.24 @@ -11,9 +11,15 @@ Mechanisms can be enabled individually i individually described below. They are sorted by whether thery are enabled by default, and then by their ordering in mk/defaults/mk.conf. -For each, see the Caveats section below for an explanation of what -might go wrong at compile time and at run time, and how to notice and -address these problems. +Typically, a feature will cause some programs to fail to build or work +when first enabled. This can be due to latent problems in the +program, and can be due to other reasons. After enough testing to +have confidence that user problems will be quite rare, individual +mechanisms will be enabled by default. + +For each mechanism, see the Caveats section below for an explanation +of what might go wrong at compile time and at run time, and how to +notice and address these problems. ## Enabled by default in the stable branch @@ -61,6 +67,13 @@ this means NetBSD 8 and later, i386 and This also makes the exploitation of some security vulnerabilities more difficult in some cases. +TODO: Explain gcc vs clang, and whether this has broad support or just +a few platforms. + +TODO: Address "partial" vs "full"; which is this? + +TODO: Give a link to a comprehensive explanation. + ### PKGSRC_USE_STACK_CHECK This uses `-fstack-check` with GCC for another stack protection