If you aren't going to do any debugging, just keep your global CFLAGS as :
CHOST="x86_64-pc-linux-gnu"
COMMON_FLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
If you plan to debug, just remove the -fomit-frame-pointer flag. GCC will know your CPU's flags so "native" is fine. Also, the "~arch" flag is fine, I always use it. So, again in /etc/portage/make.conf add the following line :
ACCEPT_KEYWORDS="~amd64"
This will enable newer packages, Not totally bleeding edge, that would be using the .9999 ebuilds, but newer than "amd64". The thing with the bleeding edge is that you can bleed. So the .9999 ebuilds are generally things to avoid.
For hardening, tune your kernel and build your desktop accordingly. Pick a sane
profile. If using KDE pick the KDE profile, if using Gnome pick the Gnome profile, but if using something nicer, like i3-gaps, just pick the desktop profile. As explained in the link you can combine profiles.
CCACHE is fine to use as it speeds up compiling time for minor version changes. Something that might take 30 minutes to compile will only take a few minutes with a minor version bump. Major version bumps will take the full 30 minutes though. Initial builds with ccache as slightly longer than without, but the time saved with minor version upgrades more than makes up for it. Not using it is obviously fine, so up to you.
WRT python, just let portage handle it for the most part and don't assign a version in your make.conf. People who were picking versions had a lot of grief as Python2 was retired this year from upstream. While there are some lingering Python2 packages still around (numpy being a prime example), portage has been decent at keeping things sanitized well.
Be sure to add a /swap partition. Even with 32GB of ram I added a 1GB /swap just to be safe.
Updating my desktop right now :
View attachment 1165249
www.phoronix.com
