Gentoo Archives: gentoo-dev

From: Piotr Karbowski <slashbeast@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Rationalizing USE flags by narrowing the scope of them.
Date: Tue, 04 Jan 2022 19:40:32
In Reply to: Re: [gentoo-dev] Rationalizing USE flags by narrowing the scope of them. by Michael Orlitzky
1 On 04/01/2022 20.18, Michael Orlitzky wrote:
2 > On Tue, 2022-01-04 at 19:26 +0100, Piotr Karbowski wrote:
3 >>
4 >> And none of which happens unless you intentionally trigger it.
5 >>
6 >> ...
7 >>
8 >> Sure, acl and how chmod manipulate mask on ACL-enabled entities is not
9 >> very simple, but nothing will break by itself just because you have acl
10 >> support enabled, you would need to try very hard to run into problems.
11 >>
12 >>
13 >
14 > Even if you're right, and if no other tools invoke tar, and the user is
15 > smart enough not to copy/paste commands from the web, and if no other
16 > archivers can extract ACLs when invoked directly or indirectly...
17 > you're still burdening the user to either have faith that this is all
18 > true, or to verify it himself. Repeat the argument for other flags like
19 > ipv6, and you wind up requiring either a lot of faith, or a lot of
20 > diligence, both of which are antithetical to basic principles of
21 > security.
22 >
23 > You may not buy the argument, but it's why people disable this stuff,
24 > and the ability to disable it is why a lot of our users user Gentoo to
25 > begin with.
27 I was challenging here your opinion that most people should disable acl
28 support.
30 And what I showed is that, by keeping it enabled, does not bring on you
31 potential problems beside possible security issues in the code that you
32 keep around and not want to have around.
34 Sure, there are valid reasons to strip things from kernel, I've seen
35 some tor nodes running kernel without input devices all out of
36 initramfs, such usecase do make sense.
38 However I am strongly against opinion that most people should not enable
39 acl, unless you have 16 MB NOR flash storage and every kB of kernel
40 image counts, but then it's unlikely that you'd use gentoo there in the
41 first place, since bundling headers and whole toolchain would east a lot
42 of storage.
44 I know there are people who love to disable things, there are even
45 people who says that pam is bloatware and strip it, or people who,
46 security reason as they claim, refuse to use logind provider (elogind or
47 systemd) and instead choose to run Xorg as root.
49 -- Piotr.