1 files changed, 46 insertions, 31 deletions
diff --git a/doc/build-unix.txt b/doc/build-unix.txt
index 4ecf15aa33..b7aa7112b4 100644
--- a/doc/build-unix.txt
+++ b/doc/build-unix.txt
@@ -1,4 +1,5 @@
 Copyright (c) 2009-2010 Satoshi Nakamoto
+Copyright (c) 2011 Bitcoin Developers
 Distributed under the MIT/X11 software license, see the accompanying
 file license.txt or http://www.opensource.org/licenses/mit-license.php.
 This product includes software developed by the OpenSSL Project for use in
@@ -14,16 +15,14 @@ To Build
 --------
 
 cd src/
+make -f makefile.unix            # Headless bitcoin
 
-make -f makefile.unix            # Bitcoin with wxWidgets GUI
-  or
-make -f makefile.unix bitcoind   # Headless bitcoin
-
+See readme-qt.rst for instructions on building Bitcoin QT,
+the graphical bitcoin.
 
 Dependencies
 ------------
 sudo apt-get install build-essential
-sudo apt-get install libgtk2.0-dev
 sudo apt-get install libssl-dev
 sudo apt-get install libdb4.8-dev
 sudo apt-get install libdb4.8++-dev
@@ -32,12 +31,6 @@ or Boost 1.37: sudo apt-get install libboost1.37-dev
 
 If using Boost 1.37, append -mt to the boost libraries in the makefile.
 
-Requires wxWidgets 2.9.1 or newer.
-
-You need to download wxWidgets from http://www.wxwidgets.org/downloads/
-and build it yourself.  See the build instructions and configure parameters
-below.
-
 Requires miniupnpc for UPnP port mapping.  It can be downloaded from
 http://miniupnp.tuxfamily.org/files/.  UPnP support is compiled in and
 turned off by default.  Set USE_UPNP to a different value to control this:
@@ -46,7 +39,6 @@ USE_UPNP=0  (the default) UPnP support turned off by default at runtime;
 USE_UPNP=1  UPnP support turned on by default at runtime.
 
 Licenses of statically linked libraries:
-wxWidgets      LGPL 2.1 with very liberal exceptions
 Berkeley DB    New BSD license with additional requirement that linked software must be free open source
 Boost          MIT-like license
 miniupnpc      New (3-clause) BSD license
@@ -54,7 +46,6 @@ miniupnpc      New (3-clause) BSD license
 Versions used in this release:
 GCC          4.3.3
 OpenSSL      0.9.8g
-wxWidgets    2.9.2
 Berkeley DB  4.8.30.NC
 Boost        1.37
 miniupnpc    1.6
@@ -62,28 +53,10 @@ miniupnpc    1.6
 
 Notes
 -----
-The UI layout is edited with wxFormBuilder.  The project file is
-uiproject.fbp.  It generates uibase.cpp and uibase.h, which define base
-classes that do the rote work of constructing all the UI elements.
-
 The release is built with GCC and then "strip bitcoin" to strip the debug
 symbols, which reduces the executable size by about 90%.
 
 
-wxWidgets
----------
-cd /usr/local
-tar -xzvf wxWidgets-2.9.2.tar.gz
-cd wxWidgets-2.9.2
-mkdir buildgtk
-cd buildgtk
-../configure --with-gtk --enable-debug --disable-shared --enable-monolithic --without-libpng --disable-svg
-make
-sudo su
-make install
-ldconfig
-
-
 miniupnpc
 ---------
 tar -xzvf miniupnpc-1.6.tar.gz
@@ -106,3 +79,45 @@ If you need to build Boost yourself:
 sudo su
 ./bootstrap.sh
 ./bjam install
+
+
+Security
+--------
+To help make your bitcoin installation more secure by making certain attacks impossible to
+exploit even if a vulnerability is found, you can take the following measures:
+
+* Position Independent Executable
+    Build position independent code to take advantage of Address Space Layout Randomization
+    offered by some kernels. An attacker who is able to cause execution of code at an arbitrary
+    memory location is thwarted if he doesn't know where anything useful is located.
+    The stack and heap are randomly located by default but this allows the code section to be
+    randomly located as well.
+
+    On an Amd64 processor where a library was not compiled with -fPIC, this will cause an error
+    such as: "relocation R_X86_64_32 against `......' can not be used when making a shared object;"
+
+    To build with PIE, use:
+    make -f makefile.unix ... -e PIE=1
+
+    To test that you have built PIE executable, install scanelf, part of paxutils, and use:
+    scanelf -e ./bitcoin
+
+    The output should contain:
+     TYPE
+    ET_DYN
+
+* Non-executable Stack
+    If the stack is executable then trivial stack based buffer overflow exploits are possible if
+    vulnerable buffers are found. By default, bitcoin should be built with a non-executable stack
+    but if one of the libraries it uses asks for an executable stack or someone makes a mistake
+    and uses a compiler extension which requires an executable stack, it will silently build an
+    executable without the non-executable stack protection.
+
+    To verify that the stack is non-executable after compiling use:
+    scanelf -e ./bitcoin
+
+    the output should contain:
+    STK/REL/PTL
+    RW- R-- RW-
+
+    The STK RW- means that the stack is readable and writeable but not executable.