1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Having read the whole thread here are some I feel important points to be made: |
5 |
1) Safety is important, it should be our aim to have our default system as |
6 |
secure as it possibly could be. Just look at the reviews some OS providers |
7 |
get over security. A good computer system should be protected against bad |
8 |
code as much as possible. |
9 |
2) The risk is real and errors against this seem common. |
10 |
3) A good housefather does not leave the front door of any home open at |
11 |
night. |
12 |
4) Protection is possible/available (to a degree) at system level. |
13 |
5) most people prefer to know they can have a reasonable trust in their |
14 |
computer system to operate reliably and consistently by default |
15 |
|
16 |
Here are some of the things not to like about what is proposed so far: |
17 |
1) Adjusting all ebuilds (not very productive, only adds clutter to ebuilds) |
18 |
2) Making new features, use flags whatever (same idea) |
19 |
3) Not doing anything would not be very responsible |
20 |
|
21 |
What I propose to do (pick the low hanging fruit): |
22 |
1) Add stack protector and and any similar 'features' stable in hardened to |
23 |
the default CLFAGS of the gentoo install/profiles. By stable I mean things |
24 |
which do not break the majority of functionality. |
25 |
2) broken ebuilds can filter-flags until fixed (better approach since you are |
26 |
only fixing up ebuilds for broken stuff and may also prompt the devs to try |
27 |
and make the protection work). |
28 |
3) People who prefer not to be protected can remove the settings from their |
29 |
CFLAGS |
30 |
4) get stuff virus, spam, etc protection functional and leveraged into the |
31 |
defaults in other words turn on those USE flags in the standard profiles |
32 |
|
33 |
A personal opinion: |
34 |
Anyone who thinks that a speed tradeoff is too much for better protection is |
35 |
crazy. Do us all a favor and play a go night of russian roulette by yourself |
36 |
to get your thrills. |
37 |
|
38 |
There's more to be said on security but I feel too lazy right now to type it |
39 |
so if this isn't convinving you let us know. |
40 |
|
41 |
Cheers, |
42 |
Bart |
43 |
-----BEGIN PGP SIGNATURE----- |
44 |
Version: GnuPG v1.2.4 (GNU/Linux) |
45 |
|
46 |
iD8DBQFBVapCBmJog5qpEKkRAriBAJ4zdBT49QVTvtGrkaXM1XqabfThdQCfdanA |
47 |
xZCyMyIV3+yu+sYf6fVHDuw= |
48 |
=FTfe |
49 |
-----END PGP SIGNATURE----- |
50 |
|
51 |
-- |
52 |
gentoo-dev@g.o mailing list |