--- wikisrc/pkgsrc/hardening.mdwn	2021/04/06 10:36:45	1.47
+++ wikisrc/pkgsrc/hardening.mdwn	2021/10/01 15:48:03	1.48
@@ -47,23 +47,22 @@ and therefore exposing these bugs.
 
 Different mitigation levels are available:
 
-* the default ("yes"), which will only protect functions considered vulnerable
+* "yes", which will only protect functions considered vulnerable
   by the compiler;
 * "all", which will protect every function;
-* "strong", which will apply a better balance between the two settings above.
+* "strong", the default, which will apply a better balance between the two settings above.
 
 This mitigation is supported by both GCC and clang. It may be supported in
 additional compilers, possibly under a different name. It is particularly useful
 for unsafe programming languages, such as C/C++.
 
-It is enabled by default where known supported since pkgsrc-2017Q3.
+"yes" is enabled by default where known supported since pkgsrc-2017Q3.
+"strong" is enabled by default where known supported since pkgsrc-2021Q4.
 
 More details can be found here:
 
 * <https://en.wikipedia.org/wiki/Buffer_overflow_protection>
 
-## Not enabled by default
-
 ### PKGSRC_MKPIE
 
 This requests the creation of PIE (Position Independent Executables) for all
@@ -77,19 +76,10 @@ exploits harder to construct. With PIE, 
 program, instead of the stack and heap only.
 
 PIE executables will only be built for toolchains that are known to support PIE.
-Currently, this means NetBSD on amd64 and i386.
+Currently, this means NetBSD on x86, ARM, SPARC64, m68k, and MIPS.
 
-### PKGSRC_MKREPRO
+PKGSRC_MKPIE was enabled by default after the pkgsrc-2021Q3 branch.
 
-With this option, pkgsrc will try to build packages reproducibly. This allows
-packages built from the same tree and with the same options, to produce
-identical results bit by bit. This option should be combined with ASLR and
-`PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to
-exploit security vulnerabilities.
-
-More details can be found here:
-
-* <https://reproducible-builds.org/>
 
 ### PKGSRC_USE_RELRO
 
@@ -109,8 +99,25 @@ feature by default, at the "partial" lev
 
 More details can be found here:
 
+* <https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro>
 * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
 
+## Not enabled by default
+
+### PKGSRC_MKREPRO
+
+With this option, pkgsrc will try to build packages reproducibly. This allows
+packages built from the same tree and with the same options, to produce
+identical results bit by bit. This option should be combined with ASLR and
+`PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to
+exploit security vulnerabilities.
+
+More details can be found here:
+
+* <https://reproducible-builds.org/>
+
+More work likely needs to be done before pkgsrc is fully reproducible.
+
 ### PKGSRC_USE_STACK_CHECK
 
 This uses `-fstack-check` with GCC for another stack protection mitigation.
@@ -123,11 +130,6 @@ multi-threaded programs.
 
 ## Problems with `PKGSRC_MKPIE`
 
-### Recent support for cwrappers
-
-`PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3
-release on (`USE_CWRAPPERS` in `mk.conf`).
-
 ### Packages failing to build
 
 A number of packages may fail to build with this option enabled. The failures
@@ -153,10 +155,17 @@ For packages using `Imakefiles`:
 ### Run-time crashes
 
 Some programs may fail to run, or crash at random times once built as PIE. Two
-scenarios are essentially possible:
+scenarios are essentially possible. This is nearly always due to a bug in
+the program being exposed due to ASLR.
 
-* actual bug in the program crashing, exposed thanks to ASLR/mprotect;
-* bug in the implementation of ASLR/mprotect in the Operating System.
+### Disabling PKGSRC_MKPIE on a per-package basis
+
+Ideally, packages should be fixed for compatibility with MKPIE.
+However, in some cases this is very difficult, due to complex build systems,
+packages using non-standard toolchains, or programming languages with odd
+bootstrapping mechanisms.
+
+To disable `PKGSRC_MKPIE` on a per-package basis, set `MKPIE_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included.
 
 ## Problems with `PKGSRC_USE_FORTIFY`
 
@@ -208,6 +217,10 @@ initialization routine can run, and the 
 them directly and abort as a result. Unfortunately, this is how Xorg loads its
 drivers. Partial RELRO can be applied instead in this case.
 
+### Disabling RELRO on a per-package basis
+
+To disable RELRO on a per-package basis, set `RELRO_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included.
+
 ## Problems with `PKGSRC_USE_SSP`
 
 ### Packages failing to build