From 832c159bb9c521ebdce5751f5300624f12ac04a7 Mon Sep 17 00:00:00 2001
From: "Rick Farina (Zero_Chaos)" <zerochaos@gentoo.org>
Date: Wed, 16 Oct 2024 17:00:20 -0400
Subject: [PATCH 1/2] zero-profile: adding some relaxation for testing
 hardening flags

---
 profiles/pentoo/base/package.use/sys-libs  |   1 +
 profiles/pentoo/zero-system/profile.bashrc | 285 +++++++++++++++++++++
 2 files changed, 286 insertions(+)

diff --git a/profiles/pentoo/base/package.use/sys-libs b/profiles/pentoo/base/package.use/sys-libs
index ebca160e85..56a7bc916d 100644
--- a/profiles/pentoo/base/package.use/sys-libs
+++ b/profiles/pentoo/base/package.use/sys-libs
@@ -1,4 +1,5 @@
 sys-libs/binutils-libs multitarget
+sys-libs/glibc profile
 sys-libs/libblockdev lvm
 sys-libs/libcxx -unwind
 sys-libs/libcxxapi -unwind
diff --git a/profiles/pentoo/zero-system/profile.bashrc b/profiles/pentoo/zero-system/profile.bashrc
index 5deb2e3735..745e978bdd 100644
--- a/profiles/pentoo/zero-system/profile.bashrc
+++ b/profiles/pentoo/zero-system/profile.bashrc
@@ -241,4 +241,289 @@ if [[ ${CATEGORY}/${PN} == dev-python/scipy ]]; then
   export FFLAGS="${FFLAGS/-flto/}"
 fi
 
+#GCC14 Hardening Relaxations
+if [[ ${CATEGORY}/${PN} == sys-libs/efivar ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/ffi ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/strscan ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/stringio ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/psych ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/io-console ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/rbs ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/racc ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/do_sqlite3 ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/json ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == sys-libs/liburing ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == net-libs/libpcap ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == app-text/ghostscript-gpl ]]; then
+  export CFLAGS="${CFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kguiaddons ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kwindowsystem ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == app-text/poppler ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/breeze-icons ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == app-text/qpdf ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == app-crypt/pinentry ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/ki18n ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kconfig ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kdbusaddons ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kidletime ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-plasma/layer-shell-qt ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kglobalaccel ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kitemviews ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kitemmodels ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/sonnet ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kholidays ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/karchive ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kstatusnotifieritem ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kcodecs ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/syntax-highlighting ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kquickcharts ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/modemmanager-qt ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kcoreaddons ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/attica ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/solid ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/bluez-qt ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kwidgetsaddons ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kdnssd ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kcrash ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kcolorscheme ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kpty ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kunitconversion ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kpackage ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kcompletion ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/krunner ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/knotifications ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-plasma/plasma-activities ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kconfigwidgets ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/ksvg ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kdesu ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kfilemetadata ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/networkmanager-qt ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-frameworks/kdoctools ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-plasma/libkscreen ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-plasma/kdecoration ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == kde-plasma/plasma-activities ]]; then
+  export CXXFLAGS="${CXXFLAGS} -fPIC"
+fi
+if [[ ${CATEGORY}/${PN} == dev-libs/libjcat ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/libv4l ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == gui-libs/gtk ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == app-crypt/gpgme ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == app-crypt/p11-kit ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/fontconfig ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-python/numpy ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+  export CXXFLAGS="${CXXFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == net-libs/libpsl ]]; then
+  export CXXFLAGS="${CXXFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-libs/libfmt ]]; then
+  export CXXFLAGS="${CXXFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-python/kiwisolver ]]; then
+  export CXXFLAGS="${CXXFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-cpp/glibmm ]]; then
+  export CXXFLAGS="${CXXFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-libs/libixion ]]; then
+  export CXXFLAGS="${CXXFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-libs/spdlog ]]; then
+  export CXXFLAGS="${CXXFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-libs/libnl ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/dav1d ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == net-libs/libmbim ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-libs/libxmlb ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == sys-libs/libnvme ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == sys-apps/dtc ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/virglrenderer ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/sratom ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/babl ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/openjpeg ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/lcms ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/graphene ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-ruby/yajl-ruby ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == sys-libs/cracklib ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == net-libs/ngtcp2 ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/libepoxy ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == app-arch/libdeflate ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-python/regex ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-python/tree-sitter ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-python/msgpack ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-python/websockets ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-libs/yajl ]]; then
+  export CFLAGS="${CFLAGS/-fPIE -pie/}"
+fi
+
 QA_CMP_ARGS='--quiet-nodebug'

From 4c34648f2fe15c6827cda76816b6bf9b0f69d540 Mon Sep 17 00:00:00 2001
From: "Rick Farina (Zero_Chaos)" <zerochaos@gentoo.org>
Date: Wed, 16 Oct 2024 17:02:36 -0400
Subject: [PATCH 2/2] ci: ensure VisibleVcsPkg are rejected

---
 .github/workflows/pkgcheck.yaml       | 4 ++--
 .github/workflows/pkgcheck_merge.yaml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pkgcheck.yaml b/.github/workflows/pkgcheck.yaml
index 624687f99d..79761e9c81 100644
--- a/.github/workflows/pkgcheck.yaml
+++ b/.github/workflows/pkgcheck.yaml
@@ -15,9 +15,9 @@ jobs:
       - name: Tree-wide pkgcheck error check
         uses: pkgcore/pkgcheck-action@v1
         with:
-          args: --exit error -k error,PkgMetadataXmlIndentation,DeprecatedManifestHash,UnusedInherits,-NonsolvableDepsInStable,-NonsolvableDepsInDev,-NonsolvableDepsInExp,-PotentialStable,-DeprecatedDep,-MissingUseDepDefault,UnknownProfilePackageUse,OldPackageUpdate,OldMultiMovePackageUpdate,LaggingProfileEapi,UnknownProfilePackageKeywords,-UnusedProfileDirs,UnquotedVariable
+          args: --exit error -k error,PkgMetadataXmlIndentation,DeprecatedManifestHash,UnusedInherits,-NonsolvableDepsInStable,-NonsolvableDepsInDev,-NonsolvableDepsInExp,-PotentialStable,-DeprecatedDep,-MissingUseDepDefault,UnknownProfilePackageUse,OldPackageUpdate,OldMultiMovePackageUpdate,LaggingProfileEapi,UnknownProfilePackageKeywords,-UnusedProfileDirs,UnquotedVariable,VisibleVcsPkg
 
       - name: Commit pkgcheck warnings
         uses: pkgcore/pkgcheck-action@v1
         with:
-          args: --exit warning -k ,PkgMetadataXmlIndentation,-NonsolvableDepsInStable,-NonsolvableDepsInDev,-PotentialStable,-DeprecatedDep,-MissingUseDepDefault,ProfileError,ProfileWarning,UnknownProfilePackageUse,OldPackageUpdate,OldMultiMovePackageUpdate,LaggingProfileEapi,UnknownProfilePackageKeywords,-UnusedProfileDirs,EclassReservedName --commits HEAD^..${{ github.sha }}
+          args: --exit warning -k ,PkgMetadataXmlIndentation,-NonsolvableDepsInStable,-NonsolvableDepsInDev,-PotentialStable,-DeprecatedDep,-MissingUseDepDefault,ProfileError,ProfileWarning,UnknownProfilePackageUse,OldPackageUpdate,OldMultiMovePackageUpdate,LaggingProfileEapi,UnknownProfilePackageKeywords,-UnusedProfileDirs,EclassReservedName,VisibleVcsPkg --commits HEAD^..${{ github.sha }}
diff --git a/.github/workflows/pkgcheck_merge.yaml b/.github/workflows/pkgcheck_merge.yaml
index c123cb4b79..78b4bfe834 100644
--- a/.github/workflows/pkgcheck_merge.yaml
+++ b/.github/workflows/pkgcheck_merge.yaml
@@ -16,9 +16,9 @@ jobs:
       - name: Tree-wide pkgcheck error check
         uses: pkgcore/pkgcheck-action@v1
         with:
-          args: --exit error -k error,PkgMetadataXmlIndentation,DeprecatedManifestHash,UnusedInherits,-NonsolvableDepsInStable,-NonsolvableDepsInDev,-NonsolvableDepsInExp,-PotentialStable,-DeprecatedDep,-MissingUseDepDefault,UnknownProfilePackageUse,OldPackageUpdate,OldMultiMovePackageUpdate,LaggingProfileEapi,UnknownProfilePackageKeywords,-UnusedProfileDirs,UnquotedVariable
+          args: --exit error -k error,PkgMetadataXmlIndentation,DeprecatedManifestHash,UnusedInherits,-NonsolvableDepsInStable,-NonsolvableDepsInDev,-NonsolvableDepsInExp,-PotentialStable,-DeprecatedDep,-MissingUseDepDefault,UnknownProfilePackageUse,OldPackageUpdate,OldMultiMovePackageUpdate,LaggingProfileEapi,UnknownProfilePackageKeywords,-UnusedProfileDirs,UnquotedVariable,VisibleVcsPkg
 
       - name: Commit pkgcheck warnings
         uses: pkgcore/pkgcheck-action@v1
         with:
-          args: --exit warning -k ,PkgMetadataXmlIndentation,-NonsolvableDepsInStable,-NonsolvableDepsInDev,-PotentialStable,-UnknownProfilePackage,-DeprecatedDep,-MissingUseDepDefault,ProfileError,ProfileWarning,UnknownProfilePackageUse,OldPackageUpdate,OldMultiMovePackageUpdate,LaggingProfileEapi,UnknownProfilePackageKeywords,-UnusedProfileDirs,EclassReservedName --commits HEAD^..${{ github.sha }}
+          args: --exit warning -k ,PkgMetadataXmlIndentation,-NonsolvableDepsInStable,-NonsolvableDepsInDev,-PotentialStable,-UnknownProfilePackage,-DeprecatedDep,-MissingUseDepDefault,ProfileError,ProfileWarning,UnknownProfilePackageUse,OldPackageUpdate,OldMultiMovePackageUpdate,LaggingProfileEapi,UnknownProfilePackageKeywords,-UnusedProfileDirs,EclassReservedName,VisibleVcsPkg --commits HEAD^..${{ github.sha }}