| 1 |
On Fri, Oct 29, 2010 at 09:11:33AM -0700, Alec Warner wrote: |
| 2 |
> 'Anyone wanting to run a secure server profile should use hardened' |
| 3 |
> tends to imply that the server profile is insecure which is probably |
| 4 |
> not what you intend to convey to users. Hardened is likely more |
| 5 |
> secure (which is all we can really say authoritatively...) I don't |
| 6 |
> think saying that *somewhere* is a bad idea. The profile.bashrc is |
| 7 |
> likely not the best place however. |
| 8 |
I understand your concern and why someone might get confused about the |
| 9 |
server/hardened thingie however I think that polluting this profile |
| 10 |
in this way is not acceptable. |
| 11 |
Furthermore the message about glibc-2.4 and gcc-4.1 looks rather obsolete. |
| 12 |
At least this part has to be removed/changed |
| 13 |
> |
| 14 |
> >> If so, I'd leave that warning alone until we get enough people working |
| 15 |
> >> on the server profiles so we can make any promises about it. |
| 16 |
> > How many? Work on what actually? It is just a profile with minimal use |
| 17 |
> > flags. There is nothing to work on :-/ I don't understand that. Tell me |
| 18 |
> > which areas of server profile need more attention so I can understand |
| 19 |
> > what are you talking about |
| 20 |
> |
| 21 |
> If it is a profile with minimal use flags why not call it minimal? :) |
| 22 |
Cause 'server' is minimal by default. |
| 23 |
> |
| 24 |
> >> |
| 25 |
> >> If we had the statistics for it, we could check how many people have |
| 26 |
> >> apache installed with that profile vs not having it. As there's nothing |
| 27 |
> >> preventing one from having USE="-apache2 -ldap" when required and I |
| 28 |
> >> don't use the server profiles, I don't really have a strong opinion |
| 29 |
> >> about this. |
| 30 |
> > Same for USE="apache2 ldap" on make.conf. That is not a valid argument |
| 31 |
> > :) |
| 32 |
> |
| 33 |
> 1) I don't believe anyone has any clear data on what flags are enabled |
| 34 |
> or disabled by users. |
| 35 |
> 2) Each of us users the server profile differently. |
| 36 |
> 3) Each of us has a different idea of what is involved with running a server. |
| 37 |
> |
| 38 |
> It is difficult to take the argument in any strong direction due to |
| 39 |
> these types of problems (it is an obvious bikeshed..) |
| 40 |
> |
| 41 |
> I will instead try a different tact. I think it is advantageous to |
| 42 |
> reduce the number of default flags. There is a question of what will |
| 43 |
> break though; so that is the question I pose to you. |
| 44 |
> |
| 45 |
> Can I install a machine with the server profile and USE=-ldap, but |
| 46 |
> still get ldap + pam working? |
| 47 |
> Can I install a machine with the server profile and USE=-apache, but |
| 48 |
> still get apache + php working? apache + rails? |
| 49 |
> How many packages support each USE flag? |
| 50 |
> How many of those packages have IUSE defaults for +ldap or +apache already? |
| 51 |
First of all, relying on specific package use flag choices is wrong by |
| 52 |
default. What if these package change their default use flags some day? |
| 53 |
Are you sure you want to engineer your profiles' behavior based on |
| 54 |
specific packages? |
| 55 |
Using these flags by default you imply that the server profile is |
| 56 |
optimised for web hosting/active directory usage. So why don't you add |
| 57 |
ipv6, snmp, vhosts by default too, to include all those firewall/router |
| 58 |
hosts running Gentoo? The server profile *imho* should have |
| 59 |
as few as possible USE flags. Users who use this profile should be well |
| 60 |
educated on how to add more USE flags if needed. |
| 61 |
|
| 62 |
-- |
| 63 |
Markos Chandras (hwoarang) |
| 64 |
Gentoo Linux Developer |
| 65 |
Web: http://hwoarang.silverarrow.org |
| 66 |
Key ID: 441AC410 |
| 67 |
Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 |
Archives