Milestone Release 1.0
* Glibc-only (uClibc will remain in -unstable)
* Stabilize with linux-2.4 branch.
- Confirm rebuildability.
- Confirm testsuites.
* Enable verbose compiler warnings for base system packages.
- Add -Werror -Wall -Wformat -Wformat-security whereever possible.
- Fix/investigate places where -Werror -Wall does not work.
- Use -Wformat=2, and other supplemental warnings, with -Werror whereever possible.
* Enable toolchain security enhancements on base system.
- This includes -D_FORTIFY_SOURCE=2, -fPIE/-pie, -fstack-protector[-all], -z relro,now.
- Link suid programs to libmudflap.
- Supply proof of concept tests for each of these features, including strlcpy/strlcat tests.
* Support all Grsecurity and PaX kernel options.
- Verify Glibc can rebuild with all PaX options enabled.
* Verify system integrity with available debugging utilities and libraries.
- Add strlcpy/strlcat where it works.
- This can include Valgrind for GCC, Purity for Bash, etc.
- Give special consideration to suid programs.
- Document this.
* Submit all patches and modifications to official maintainers for review, criticism, etc.
* Add enough information and explanations of hardening methods so that Beyond-HLFS packages can be hardened without instructions (including fixing compiler warnings, unsafe mktemp functions, weird permissions on newly installed files such as suid bit and group writables). For example, instead of writing "do this and this", write "this is being done specifically in this instance because of that, and look for this when installing BLFS packages".
* Perhaps use BLFS's wiki pages for each package to add hardening notes, rather than adding BLFS packages to the HLFS book. This would benefit more users too.
* Segregate instructions for features to keep each of them optional.
- This includes toolchain, kernel, and debugging features.
* Audit book for accuracy, ease of reading and understanding.
- Document features well enough that outside links are not necessary, but available.
- Spell and grammar check.
