--- wikisrc/pkgsrc/hardening.mdwn	2017/11/07 02:26:54	1.32
+++ wikisrc/pkgsrc/hardening.mdwn	2017/11/07 02:37:43	1.33
@@ -55,6 +55,7 @@ for unsafe programming languages, such a
 
 It is enabled by default where known supported since pkgsrc-2017Q3.
 
+More details can be found here:
 * <https://en.wikipedia.org/wiki/Buffer_overflow_protection>
 
 ## Enabled by default in pkgsrc HEAD
@@ -80,12 +81,18 @@ Currently, this means NetBSD on amd64 an
 This also makes the exploitation of some security vulnerabilities more
 difficult in some cases.
 
-TODO: Explain gcc vs clang, and whether this has broad support or just
-a few platforms.
+Two different mitigation levels are available:
+* partial: the ELF sections are reordered so that internal data sections
+  precede the program's own data sections, and non-PLT GOT is read-only;
+* full: in addition to partial RELRO, every relocation is performed immediately
+  when starting the program (with a slight performance impact), allowing the
+  entire GOT to be read-only.
 
-TODO: Address "partial" vs "full"; which is this?
+This is currently supported by GCC. Many software distributions now enable this
+feature by default, at the "partial" level.
 
-TODO: Give a link to a comprehensive explanation.
+More details can be found here:
+* <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
 
 ### PKGSRC_USE_STACK_CHECK
 
@@ -278,8 +285,3 @@ additional symbols in the resulting file
     0000000000600ea0 B __stack_chk_guard
 
 This is an indicator that the program was indeed built with support for SSP.
-
-# References
-
-* <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
-