1 |
On Sat, 25 Sep 2004 19:26:26 +0200 |
2 |
Bart Lauwers <blauwers@g.o> wrote: |
3 |
|
4 |
> Having read the whole thread here are some I feel important points to be |
5 |
> made: 1) Safety is important, it should be our aim to have our default |
6 |
> system as secure as it possibly could be. Just look at the reviews some |
7 |
> OS providers get over security. A good computer system should be |
8 |
> protected against bad code as much as possible. |
9 |
|
10 |
Then shut it off, unplug it from the wall, permanently erase all data and |
11 |
then eject the physical components into the sun. Otherwise you will |
12 |
always be at some form of security risk, know or unknown. |
13 |
|
14 |
Also make sure you don't get the Operating System confused with the extra |
15 |
software provided. 99% of all software on your installation is not part |
16 |
of the Operating System. If you plan on making Gentoo accountable for |
17 |
that, I hope you have an army of developers waiting in the wings. |
18 |
|
19 |
> 2) The risk is real and errors against this seem common. |
20 |
|
21 |
Sure, there is risk in almost everything too. However just because |
22 |
driving an automobile can be dangerous doesn't mean I'll buy a tank or |
23 |
stay inside just to feel safe. |
24 |
|
25 |
> 3) A good housefather does not leave the front door of any home open at |
26 |
> |
27 |
> night. |
28 |
|
29 |
See reply to 1. |
30 |
|
31 |
> 4) Protection is possible/available (to a degree) at system level. |
32 |
> 5) most people prefer to know they can have a reasonable trust in their |
33 |
> computer system to operate reliably and consistently by default |
34 |
|
35 |
Doesn't this exist already? if people didn't trust Gentoo then why are |
36 |
they using it? We can't be held ultimately responsible for software we |
37 |
didn't write. If you can knock over service foo-1.2.3 on Gentoo, chances |
38 |
are you can knock it over on another Linux or possibly any other platform |
39 |
it runs on either. |
40 |
|
41 |
> Here are some of the things not to like about what is proposed so far: |
42 |
> 1) Adjusting all ebuilds (not very productive, only adds clutter to |
43 |
> ebuilds) 2) Making new features, use flags whatever (same idea) |
44 |
> 3) Not doing anything would not be very responsible |
45 |
|
46 |
Are we in the insurance business or are we in the Linux distribution |
47 |
business? Maybe I'm way out in left field here but I'm not holding Gentoo |
48 |
responsible for software they didn't write. |
49 |
|
50 |
> What I propose to do (pick the low hanging fruit): |
51 |
> 1) Add stack protector and and any similar 'features' stable in hardened |
52 |
> to the default CLFAGS of the gentoo install/profiles. By stable I mean |
53 |
> things which do not break the majority of functionality. |
54 |
|
55 |
Feel free to take on the ownership of making this work on every arch's |
56 |
toolchain then. Also feel free to deal with all upstream authors who |
57 |
start instantly dismissing any bugs from Gentoo due to the fact that the |
58 |
toolchain is quite modified to accomplish this task. Take the current |
59 |
stance the GAIM team has with us as an example of what would be to come. |
60 |
|
61 |
> 2) broken ebuilds can filter-flags until fixed (better approach since |
62 |
> you are only fixing up ebuilds for broken stuff and may also prompt the |
63 |
> devs to try and make the protection work). |
64 |
|
65 |
The protection itself is a work-around to the original problem. You want |
66 |
to continue to work around the problem even more? |
67 |
|
68 |
> 3) People who prefer not to be protected can remove the settings from |
69 |
> their CFLAGS |
70 |
|
71 |
Personally, I don't think opting out is the way to do this. Having CFLAGS |
72 |
that are in by default that may or may not work across all architectures |
73 |
is not a good thing. |
74 |
|
75 |
> 4) get stuff virus, spam, etc protection functional and leveraged into |
76 |
> the defaults in other words turn on those USE flags in the standard |
77 |
> profiles |
78 |
|
79 |
No thanks. I don't want to have to spend the first 24 hours or so of |
80 |
using my new"trusted" operating system opting out of all of the overly |
81 |
paranoid defaults. If I'm looking for a high level of security out of the |
82 |
box, I'll use hardened or OpenBSD. |
83 |
|
84 |
> A personal opinion: |
85 |
> Anyone who thinks that a speed tradeoff is too much for better |
86 |
> protection is crazy. Do us all a favor and play a go night of russian |
87 |
> roulette by yourself to get your thrills. |
88 |
|
89 |
OK seriously, this kind of comment isn't needed. I'm not sure what you |
90 |
hoped to have accomplished by it, but I'm fairly sure it didn't work. |
91 |
|
92 |
As anyone who has spent 5 minutes in the security world knows, there's a |
93 |
fine line between good security and paranoia. You can lock your system |
94 |
down to high heaven and be sure that people won't get into it, but then |
95 |
you won't be able to do a damn thing either. What good is that? |
96 |
|
97 |
Right now I have a choice to use these features if I want to. I don't |
98 |
have to "opt-out" and I would rather keep it that way. The support |
99 |
nightmare this will create is not worth the potential advantages. |
100 |
|
101 |
> There's more to be said on security but I feel too lazy right now to |
102 |
> type it so if this isn't convinving you let us know. |
103 |
|
104 |
And as this list has shown historically, we can all argue security to high |
105 |
heaven with each party feeling they have the right answer and never |
106 |
accomplish anything. |
107 |
|
108 |
Now please don't get me wrong. As someone who's day job is in the |
109 |
security field, I very much like and appreciate the efforts that have gone |
110 |
into making secure toolchains and hardened systems a reality in Gentoo. |
111 |
In some cases I do use them as well. |
112 |
|
113 |
However, I do not believe it is our place nor our job to make that choice |
114 |
for our users. You cannot protect people from themselves, regardless of |
115 |
the perceived benefits. |
116 |
|
117 |
Regards, |
118 |
-- |
119 |
Jason Wever |
120 |
Gentoo/Sparc Team Co-Lead |