If any developers have ideas for hardening the distribution, feel free to post them here . Keep in mind that these are just ideas, not necessarily stuff we have committed to doing.
Create a rescue environment in /opt/rescue. This environment will contain backup versions of essential binaries (similar to BSD's /rescue or /altroot directory). It will reside on a separate read only filesystem. It will use Busybox with static linking so it is not dependent on any other part of the system for proper functionality.
The Busybox binaries will be executable only by root.
--enable-stack-protector=strong --enable-stackguard-randomization