i don't get your point, Arch support selinux just fine https://wiki.archlinux.org/title/SELinux and have very sane compiler defaults and all mitigations come by default or are you referring to something specific?

Supports or enables by default? Because Fedora runs with SeLinux enabled by default and Michael does not disable it. Speaking of GCC flags, are you sure Arch comes close to this?

-Wall -W -Wextra -Wstrict-prototypes -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC -DPIC

Clear Linux uses -O3 by default which makes binaries fatter without necessarily making them faster. Its default GCC options (/share/defaults/etc/profile):

-g -O3 -feliminate-unused-debug-types -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=32 -Wformat -Wformat-security -m64 -fasynchronous-unwind-tables -Wp,-D_REENTRANT -ftree-loop-distribute-patterns -Wl,-z -Wl,now -Wl,-z -Wl,relro -fno-semantic-interposition -ffat-lto-objects -fno-trapping-math -Wl,-sort-common -Wl,--enable-new-dtags -mtune=skylake -Wa,-mbranches-within-32B-boundaries

So, it's -O3 -mtune=skylake -fstack-protector vs. Fedora's -O2 -mtune=generic -fstack-protector-strong -fstack-clash-protection -fcf-protection

There's no magic in Clear Linux which other distros cannot copy. I wonder why people continue to praise Clear Linux' performance in every test without taking ten minutes to find out what actually makes it faster.

Well, in all honesty Clear is faster for a helluvah amount of out of tree patches that enable GCC FMV among other things. the flags themselves don't do much difference performance wise tho.

About SeLinux well, in Arch you have 100% control so if you want them by default enable them if don't then don't.

Yes, Arch base flags are similar but Many of those Fedora flags are meant for debug info not security and are redundant but that is maybe to be sure any compiler will use them instead of assuming GCC will always be used, so no harm done.

This one is probably the most security wise flag -fstack-protector-strong and honestly performance wise is quite low the impact.

Again, SeLinux is enabled by default in Fedora. In Arch Linux it needs to be enabled. We are talking about two radically different things yet you equate them like there's no effing difference. Arch Linux may support all the MAC systems in the world, that doesn't make any bloody difference if none is enabled.

Funny you've completely omitted -O3 vs -O2 and -mtune=generic vs -mtune=skylake

Also I don't take lightly statements like "performance wise is quite low the impact" - either you test it and show the results or don't speak at all.

As for GCC FMV it requires a lot of effort for a very dubious effect - it's extremely unlikely that the majority of tests that Michael runs benefit from it. Again, you need to show where and how Clear Linux enables this feature or we've got nothing to talk about. I don't take lightly vapid statement with no proofs. I've shown you the compilation flags, so far you've shared nothing but assumptions.

I've got a very bad taste in my mouth after discussing this issue with you. You're welcome to continue with other demagogues.

Also, sir, I've caught you lying through your teeth.



Current status in Arch Linux
SELinux is not officially supported (see [1][2]).

Please get out of my sight.

Clear Linux has always been a failure as a general purpose distro. Before they stopped their desktop Linux ambitions last year, a survey of Intel people showed that 94% of their own people refused to use it as a desktop. The reason other distros don't copy everything that Clear Linux does is that it does not all translate to good general desktop distro performance.

1.) here you can see generic vs skylake is about hardware features available if they are used on the code(or later on in the compiler) https://gcc.gnu.org/onlinedocs/gcc-1...ml#x86-Options

1.b) -O3 basically is extra optimization passes for IPA and vectorization and performance is not affected if your code (or the compiler) don't use(is capable of later on) SIMD. https://gcc.gnu.org/onlinedocs/gcc-1...timize-Options

2.) https://docs.01.org/clearlinux/lates...rials/fmv.html, https://github.com/clearlinux-pkgs/linux, https://github.com/clearlinux-pkgs/opencv some examples.

3.) Nothing is officially supported on ArchLinux, sigh. same applies to Gentoo. See it as an expert distro(hence you are supposed to know what you are doing) and btw that is very old but is there as a newbie warning but works fine, same on Gentoo(as long as the ebuilds include selinux flags build from scratch ). So ok Fedora is idiot free and have a sane preinstalled default, Arch and Gentoo are not idiot free and require intervention but you have way more control over it.

4.) Is ironic reading this from someone that don't even understand basic C/C++ or how Gentoo/Arch/etc works, etc. or what optimization passes do or even something as blatantly obvious as -march but whatever make you happy.

As a normal user instead of someone in a bank, I prefer performance over security.

Becuase support, compatibility, system stability, lot of testing etc etc etc.
You don't wanna break a system running bank applications because of some unstable optimization.

It's weird how the results are kind of all over the place. In one test a distro will top the charts by a wide margin, then in others it's the slowest by a wide margin. Why is there no consistency? There is no clear winner if you ask me.

Anecdotally I mostly use Ubuntu and Arch Linux and don't see much difference performance-wise. Fedora on the other hand is very noticeably more "clunky", slow, and bloated feeling comparatively. I guess maybe SELinux or their other defaults play a part in that. I've never used Clear Linux so I can't comment on that.

What I'd like to see is a distro based around something like busybox (like embedded devices use). Something ultra-lightweight almost like booting a kernel straight to a shell. This would be really handy for server installs on constrained systems like cheap VPS instances. Would probably be great as a desktop as well. Boot times in a couple seconds, faster than ChromeOS even.