1 |
On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras <hwoarang@g.o> wrote: |
2 |
> On Fri, Oct 29, 2010 at 12:02:20PM +0000, Jorge Manuel B. S. Vicetto wrote: |
3 |
>> -----BEGIN PGP SIGNED MESSAGE----- |
4 |
>> Hash: SHA1 |
5 |
>> |
6 |
>> Hi. |
7 |
>> |
8 |
>> On 29-10-2010 11:03, Markos Chandras wrote: |
9 |
>> > Hi |
10 |
>> > |
11 |
>> > I don't know how many of you are using these profiles. I would like to |
12 |
>> > propose a couple of changes |
13 |
>> > |
14 |
>> > 1) I want to drop the warning message located on profile.bashrc files |
15 |
>> > e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc |
16 |
>> > It is more than obvious what this profile is for so I don't think this |
17 |
>> > message makes any sense. |
18 |
>> |
19 |
>> I've always taken the message about the server profiles not being |
20 |
>> properly tested as a warning that anyone wanting to run a "secure" |
21 |
>> server profile should use one of the hardened profiles. |
22 |
> But isn't that obvious? How is server profiles related to hardened |
23 |
> anyway? Anyway, this can stay. The rest about GCC and Glibc I think is |
24 |
> useless |
25 |
|
26 |
I think there are two nagging things that this thread raises. |
27 |
|
28 |
Jorge's comment leads me to: |
29 |
|
30 |
'Anyone wanting to run a secure server profile should use hardened' |
31 |
tends to imply that the server profile is insecure which is probably |
32 |
not what you intend to convey to users. Hardened is likely more |
33 |
secure (which is all we can really say authoritatively...) I don't |
34 |
think saying that *somewhere* is a bad idea. The profile.bashrc is |
35 |
likely not the best place however. |
36 |
|
37 |
>> If so, I'd leave that warning alone until we get enough people working |
38 |
>> on the server profiles so we can make any promises about it. |
39 |
> How many? Work on what actually? It is just a profile with minimal use |
40 |
> flags. There is nothing to work on :-/ I don't understand that. Tell me |
41 |
> which areas of server profile need more attention so I can understand |
42 |
> what are you talking about |
43 |
|
44 |
If it is a profile with minimal use flags why not call it minimal? :) |
45 |
|
46 |
>> |
47 |
>> > 2) Furthermore I would like to drop the following use flags from default |
48 |
>> > IUSE |
49 |
>> > |
50 |
>> > -apache2 |
51 |
>> > -ldap |
52 |
>> > |
53 |
>> > A minimal server installation does requires neither apache2 nor ldap |
54 |
>> |
55 |
>> Although one can install a server without apache or ldap, I'd say the |
56 |
>> server profile seems the natural choice to have them enabled. |
57 |
> So you assume that the most common server configuration is for active |
58 |
> directory or web hosting |
59 |
|
60 |
I think the values are there as a CYA thing to replace auto-use. I |
61 |
think when someone installs LDAP they generally want the ldap use flag |
62 |
(so optionally LDAP support is compiled into apps. The same thing is |
63 |
true of apache. Now sadly I removed support for auto-use around 2006 |
64 |
because it was a giant mess so instead we have default profile use |
65 |
flags. |
66 |
|
67 |
>> If we had the statistics for it, we could check how many people have |
68 |
>> apache installed with that profile vs not having it. As there's nothing |
69 |
>> preventing one from having USE="-apache2 -ldap" when required and I |
70 |
>> don't use the server profiles, I don't really have a strong opinion |
71 |
>> about this. |
72 |
> Same for USE="apache2 ldap" on make.conf. That is not a valid argument |
73 |
> :) |
74 |
|
75 |
1) I don't believe anyone has any clear data on what flags are enabled |
76 |
or disabled by users. |
77 |
2) Each of us users the server profile differently. |
78 |
3) Each of us has a different idea of what is involved with running a server. |
79 |
|
80 |
It is difficult to take the argument in any strong direction due to |
81 |
these types of problems (it is an obvious bikeshed..) |
82 |
|
83 |
I will instead try a different tact. I think it is advantageous to |
84 |
reduce the number of default flags. There is a question of what will |
85 |
break though; so that is the question I pose to you. |
86 |
|
87 |
Can I install a machine with the server profile and USE=-ldap, but |
88 |
still get ldap + pam working? |
89 |
Can I install a machine with the server profile and USE=-apache, but |
90 |
still get apache + php working? apache + rails? |
91 |
How many packages support each USE flag? |
92 |
How many of those packages have IUSE defaults for +ldap or +apache already? |
93 |
|
94 |
-A |
95 |
|
96 |
>> |
97 |
>> - -- |
98 |
>> Regards, |
99 |
>> |
100 |
>> Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org |
101 |
>> Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng |
102 |
>> -----BEGIN PGP SIGNATURE----- |
103 |
>> Version: GnuPG v2.0.16 (GNU/Linux) |
104 |
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
105 |
>> |
106 |
>> iQIcBAEBAgAGBQJMyrfMAAoJEC8ZTXQF1qEP1AMQANVKK4f1T041WrHMJ7gXM4sI |
107 |
>> hEhoH25GkoxjEEztxdaQ7TI+fxPRqbAHv6AWYNsTd7C6c0RwgTQa8TwNATvmWdCT |
108 |
>> tyTge9SWO1lubiwdNUu5AoamZkzyvWibK5hwP6cd/4OWP02aFZ/BYICeL5G3IQ1I |
109 |
>> YBXwjzf6f6Nyae8/SKCQalU0Zlse1Cx6A58siS2Uqz63DqPglQqhiN10PB4S496y |
110 |
>> fvA84h8B0FUtexFn8Ho0nFVHh5Lea6qo4YZfhDemjMSio9daPMfcAK63za5M/vq+ |
111 |
>> AEjLOmFuj5yg3hppE+5tqc4R+Qt3mDklRHT/p3tdhMTgw0aXHSA/23NSqdKs7NTK |
112 |
>> 4w/HJ+k5S5BXUUrb3VjNByO5vOKm7A4ROLBAuDZFgu/dah3A3OwtoolEEooWMHDG |
113 |
>> Bgo4aRX0cvNGTdVFnUQp7aDO/idi61ONV/G9cqPsl5nmD0K/1JhujLmR9oU26ctk |
114 |
>> sEv/ZxAbUWBYiPx08y6u7lm2g2uUnC0VmJS6rLeHKpp501I8ulTuNRlc1U8EvmPn |
115 |
>> aQHLG+6IvBpifFml3nDIG64LwsXqkEmwc67vcHvYRJqyzcxyHkORl2qTH19zsV1B |
116 |
>> PAa9bN9jRYssdLvDLdsrBc1S3LSGftWihu5ITwkdf3DK6uo7UUViSeesiESsP0sa |
117 |
>> +maI98w1ehWNX2I8RZ7l |
118 |
>> =fHNt |
119 |
>> -----END PGP SIGNATURE----- |
120 |
>> |
121 |
> |
122 |
> -- |
123 |
> Markos Chandras (hwoarang) |
124 |
> Gentoo Linux Developer |
125 |
> Web: http://hwoarang.silverarrow.org |
126 |
> Key ID: 441AC410 |
127 |
> Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 |
128 |
> |