| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Having read the whole thread here are some I feel important points to be made: |
| 5 |
1) Safety is important, it should be our aim to have our default system as |
| 6 |
secure as it possibly could be. Just look at the reviews some OS providers |
| 7 |
get over security. A good computer system should be protected against bad |
| 8 |
code as much as possible. |
| 9 |
2) The risk is real and errors against this seem common. |
| 10 |
3) A good housefather does not leave the front door of any home open at |
| 11 |
night. |
| 12 |
4) Protection is possible/available (to a degree) at system level. |
| 13 |
5) most people prefer to know they can have a reasonable trust in their |
| 14 |
computer system to operate reliably and consistently by default |
| 15 |
|
| 16 |
Here are some of the things not to like about what is proposed so far: |
| 17 |
1) Adjusting all ebuilds (not very productive, only adds clutter to ebuilds) |
| 18 |
2) Making new features, use flags whatever (same idea) |
| 19 |
3) Not doing anything would not be very responsible |
| 20 |
|
| 21 |
What I propose to do (pick the low hanging fruit): |
| 22 |
1) Add stack protector and and any similar 'features' stable in hardened to |
| 23 |
the default CLFAGS of the gentoo install/profiles. By stable I mean things |
| 24 |
which do not break the majority of functionality. |
| 25 |
2) broken ebuilds can filter-flags until fixed (better approach since you are |
| 26 |
only fixing up ebuilds for broken stuff and may also prompt the devs to try |
| 27 |
and make the protection work). |
| 28 |
3) People who prefer not to be protected can remove the settings from their |
| 29 |
CFLAGS |
| 30 |
4) get stuff virus, spam, etc protection functional and leveraged into the |
| 31 |
defaults in other words turn on those USE flags in the standard profiles |
| 32 |
|
| 33 |
A personal opinion: |
| 34 |
Anyone who thinks that a speed tradeoff is too much for better protection is |
| 35 |
crazy. Do us all a favor and play a go night of russian roulette by yourself |
| 36 |
to get your thrills. |
| 37 |
|
| 38 |
There's more to be said on security but I feel too lazy right now to type it |
| 39 |
so if this isn't convinving you let us know. |
| 40 |
|
| 41 |
Cheers, |
| 42 |
Bart |
| 43 |
-----BEGIN PGP SIGNATURE----- |
| 44 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 45 |
|
| 46 |
iD8DBQFBVapCBmJog5qpEKkRAriBAJ4zdBT49QVTvtGrkaXM1XqabfThdQCfdanA |
| 47 |
xZCyMyIV3+yu+sYf6fVHDuw= |
| 48 |
=FTfe |
| 49 |
-----END PGP SIGNATURE----- |
| 50 |
|
| 51 |
-- |
| 52 |
gentoo-dev@g.o mailing list |
Archives