| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
Stephen P. Becker wrote: |
| 7 |
|> As someone who is passively absorbing this information, I find your |
| 8 |
|> ignorance combined with your claim of being a security expert to |
| 9 |
|> indicate that you're full of shit. |
| 10 |
|> |
| 11 |
|> You've repetedly referred to the issue of cross-platform portability |
| 12 |
|> with SSP in here, for example; and I've pointed out once a link that |
| 13 |
|> shows that SSP is OS and CPU independent. Do your research, read what's |
| 14 |
|> out there. |
| 15 |
|> |
| 16 |
| |
| 17 |
| So are you then going to test it for us on mips then? "I read it on the |
| 18 |
| internet so it must be true" is a *horrible* way to do QA. Mozilla is |
| 19 |
| also supposed to be arch neutral. Guess what...it doesn't work on mips. |
| 20 |
| Oops! We're a small arch in terms of both devs and users. To my |
| 21 |
| knowledge, a full SSP userland has *never* been tested on mips. We are |
| 22 |
| spread way to thin currently for such an endeavor. |
| 23 |
|
| 24 |
OK so who has a mips you can test it on? |
| 25 |
|
| 26 |
| |
| 27 |
| So then, are you volunteering to build mips stages with SSP to prove |
| 28 |
| that it works for certain? We really don't have the manpower to do that |
| 29 |
| currently. Are you going to answer to any bug reports we would get if |
| 30 |
| this is implemented? |
| 31 |
| |
| 32 |
| Also, in terms of "researching" this problem, do you realize you just |
| 33 |
| told the Gentoo/sparc strategic manager that he doesn't know anything |
| 34 |
| about his own arch? "No! you're wrong! SSP does work on your arch!" |
| 35 |
|
| 36 |
"And ssp is supposed to be portable. Etoh and Yoda's paper[1] says that |
| 37 |
The IBM stack smash protection method (ProPolice) is CPU and OS |
| 38 |
independent[2]. I think that you'd be within reason to complain to them |
| 39 |
if it didn't work accross all archs." |
| 40 |
|
| 41 |
I never gave you my personal guarantee, I said based on research and on |
| 42 |
what the maintainers say, it should; and that if it doesn't then it's |
| 43 |
something they (not you) need to fix. I do like to think that people |
| 44 |
don't lie about their software, at the very least not intentionally. |
| 45 |
|
| 46 |
Obviously if it breaks on X arch, you disable it there. |
| 47 |
|
| 48 |
| Reminds me of arguments I've had with people that tried to tell me (I'm |
| 49 |
| a geologist) the Earth is only 7000 years old because the bible says so. |
| 50 |
| I suggest you pull your head out of the collective x86 ass. The |
| 51 |
| non-x86 arch teams have enough breakage to deal with without introducing |
| 52 |
| another layer of potential brokenness. |
| 53 |
|
| 54 |
I was considering more than x86, else I'd have asked you why the hell it |
| 55 |
needs to be cross-arch. I use x86_64 mainly, although I guess that |
| 56 |
counts as x86 huh? (the amd64 caabal doesn't seem to agree :>) In this |
| 57 |
case the architectural similarities put them in the same class. |
| 58 |
|
| 59 |
Still, I figured they meant "alpha sparc mips arm sh4 windows dos macos |
| 60 |
aix unix linux" when they said CPU and OS independent. |
| 61 |
|
| 62 |
| |
| 63 |
| I still don't understand why we can't simply place a blurb in the |
| 64 |
| install handbook as I suggested before. It is always much easier to add |
| 65 |
| something than take it away in this circumstance. If a user *really* |
| 66 |
| wants that functionality, they'll add it in. If a user *really* doesn't |
| 67 |
| want it, but it is on by default, they will have to rebuild their whole |
| 68 |
| userland, which on machines such a those supported by the mips port |
| 69 |
| would be *extremely* painful. |
| 70 |
| |
| 71 |
|
| 72 |
It's a design decision still. If you supply a non-SSP userland in your |
| 73 |
stages, the user has to start from stage 1 (not 2 or 3) to get SSP. If |
| 74 |
you supply an SSP userland in the stages, the user has to start from |
| 75 |
stage 1 to remove it. The hardened stages come with PIE-SSP, but what |
| 76 |
if the user doesn't want a full hardened system (i.e. pie and the |
| 77 |
hardened profile)? Obviously you don't want to waste more space on the |
| 78 |
mirrors supplying non-ssp/ssp/pie-ssp-selinux stages for each arch. |
| 79 |
|
| 80 |
Why not take a poll of the user base, and ask if SSP should be on by |
| 81 |
default or not? |
| 82 |
|
| 83 |
| Steve |
| 84 |
| |
| 85 |
| |
| 86 |
|
| 87 |
- -- |
| 88 |
All content of all messages exchanged herein are left in the |
| 89 |
Public Domain, unless otherwise explicitly stated. |
| 90 |
|
| 91 |
-----BEGIN PGP SIGNATURE----- |
| 92 |
Version: GnuPG v1.2.6 (GNU/Linux) |
| 93 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 94 |
|
| 95 |
iD8DBQFBVuvDhDd4aOud5P8RAm4uAJ94IoyZFByzemth5qcXvEWyfkffewCeNEid |
| 96 |
jrcMbnuBmtJnBBZLA3l+4oU= |
| 97 |
=H8GL |
| 98 |
-----END PGP SIGNATURE----- |
| 99 |
|
| 100 |
-- |
| 101 |
gentoo-dev@g.o mailing list |
Archives