| 1 |
On Sunday 26 September 2004 06:42, Bart Lauwers wrote: |
| 2 |
> On the matter of the russian roulette, it is no different, computers |
| 3 |
> without a security policy are a disaster waiting to happen and the risk |
| 4 |
> could cost someone their life (not in all uses of a computer granted). Both |
| 5 |
> are loosing propositions. You cannot proof read all the code you put into |
| 6 |
> a distro so you need better ways to attain an acceptable level of |
| 7 |
> protection. |
| 8 |
|
| 9 |
I believe we do have a security policy already - no net facing daemons enabled |
| 10 |
by default. There's actually no daemons by default and the user is only |
| 11 |
encouraged to install a cron and syslog. The security policy of the system |
| 12 |
from that point on, as most everything with Gentoo, is left entirely up to |
| 13 |
the user. |
| 14 |
|
| 15 |
Here's my take on all this. There's almost no point in adding SSP to the |
| 16 |
stage1 binaries. There's almost as little point in adding it to the stage2 |
| 17 |
binaries as well. So that pretty much leaves the question as to whether there |
| 18 |
is a point in adding SSP to the stage3 binaries (and GRP). |
| 19 |
|
| 20 |
To that end, I wonder what class of users use stage3. Personally, if I use a |
| 21 |
stage3 it is to get the system up and running as fast as possible. Once I can |
| 22 |
start using the system productively, I inevitably run emerge -e world in the |
| 23 |
background. Another class of user wants QA'd binaries with maximum stability. |
| 24 |
This usually means the machine is for some sort of business usage, whether it |
| 25 |
be client or server. |
| 26 |
|
| 27 |
The last class of user doesn't know/care enough to bother with the several |
| 28 |
days it takes to go from a stage1. Unfortunately, this class of user also |
| 29 |
wants everything to be as fast as possible; usually the type that writes up a |
| 30 |
lot of FUD on slashdot. I'm making a huge generalization here that anyone is |
| 31 |
free to wholeheartedly disagree with, but it servers my purpose here. |
| 32 |
|
| 33 |
So, two interesting classes of users. Those who care and those who don't. The |
| 34 |
question then becomes one of who we care about. Personally, I think that both |
| 35 |
are equally important. However, I lean toward better support for the ones |
| 36 |
that do care. In such, I'm all for SSP in stage3 and GRP as long as it does |
| 37 |
not introduce any stability concerns. Does it introduce any stability issues? |
| 38 |
|
| 39 |
Regards, |
| 40 |
Jason Stubbs |
| 41 |
|
| 42 |
-- |
| 43 |
gentoo-dev@g.o mailing list |
Archives