List Archive: gentoo-hardened
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
A few thoughts from my point of view...
Is there a ground of support for some of the security options that have
been circulated in the forums - e.g. having the ability to apply patches
to software without having to upgrade to a newer version, and to do so
with an 'emerge -u world' style command? This to me seems to be
something that would go hand in hand with the Hardened aspect that is
being worked on. I have heard of a number of frustrations from
administrators who would like to be able to update their packages with
the necessary security/bug patches without upgrading to the new version.
I feel that this could be incorporated within the current release system
(-rXX), with an option within something like make.conf that specified
not to upgrade a major release (i.e. a change in the x.y.z notation).
This may mean that some of the current -r numbering needs to be looked
at, as the best example that I have of the distributors package
numbering being changed without the Gentoo package number being changed
is the 2.4.19 gentoo-sources, where the sources prior to 2.4.19-r7 are
all 2.4.18 based. This caused me lots of confusion as the 2.4.19 stock
kernel's implementation of Highpoint/Promise raid broke.
I know that everyone thinks that the administrator should keep up with
bugs via the GLSA's etc, and I agree completely. However I also feel
that if it is made easy for Gentoo users to update with _all_ security
patches, the Hardened options would be that much more attractive.
The other question that I had is, with regards to chroot()ing services,
are there going to be separate 'hardened' ebuilds for these, or will
they incorporate the chroot() option as a USE flag, and the ebuild puts
files in a different location, with a different setup than for the
default install. I see both of these options as having their advantages
and drawbacks, and both have the potential to get very messy.
Just my 2c. I welcome comments/discussions/disagreements, but no flames
Ashburton Trading Society
97 Burnett Street
PO Box 131
Ph: +64 3 308-1306
Fax: +64 3 308-1308
"There is no 'patch' for stupidity"
email@example.com mailing list