| 1 |
On Sat, 25 Sep 2004 19:26:26 +0200 |
| 2 |
Bart Lauwers <blauwers@g.o> wrote: |
| 3 |
|
| 4 |
> Having read the whole thread here are some I feel important points to be |
| 5 |
> made: 1) Safety is important, it should be our aim to have our default |
| 6 |
> system as secure as it possibly could be. Just look at the reviews some |
| 7 |
> OS providers get over security. A good computer system should be |
| 8 |
> protected against bad code as much as possible. |
| 9 |
|
| 10 |
Then shut it off, unplug it from the wall, permanently erase all data and |
| 11 |
then eject the physical components into the sun. Otherwise you will |
| 12 |
always be at some form of security risk, know or unknown. |
| 13 |
|
| 14 |
Also make sure you don't get the Operating System confused with the extra |
| 15 |
software provided. 99% of all software on your installation is not part |
| 16 |
of the Operating System. If you plan on making Gentoo accountable for |
| 17 |
that, I hope you have an army of developers waiting in the wings. |
| 18 |
|
| 19 |
> 2) The risk is real and errors against this seem common. |
| 20 |
|
| 21 |
Sure, there is risk in almost everything too. However just because |
| 22 |
driving an automobile can be dangerous doesn't mean I'll buy a tank or |
| 23 |
stay inside just to feel safe. |
| 24 |
|
| 25 |
> 3) A good housefather does not leave the front door of any home open at |
| 26 |
> |
| 27 |
> night. |
| 28 |
|
| 29 |
See reply to 1. |
| 30 |
|
| 31 |
> 4) Protection is possible/available (to a degree) at system level. |
| 32 |
> 5) most people prefer to know they can have a reasonable trust in their |
| 33 |
> computer system to operate reliably and consistently by default |
| 34 |
|
| 35 |
Doesn't this exist already? if people didn't trust Gentoo then why are |
| 36 |
they using it? We can't be held ultimately responsible for software we |
| 37 |
didn't write. If you can knock over service foo-1.2.3 on Gentoo, chances |
| 38 |
are you can knock it over on another Linux or possibly any other platform |
| 39 |
it runs on either. |
| 40 |
|
| 41 |
> Here are some of the things not to like about what is proposed so far: |
| 42 |
> 1) Adjusting all ebuilds (not very productive, only adds clutter to |
| 43 |
> ebuilds) 2) Making new features, use flags whatever (same idea) |
| 44 |
> 3) Not doing anything would not be very responsible |
| 45 |
|
| 46 |
Are we in the insurance business or are we in the Linux distribution |
| 47 |
business? Maybe I'm way out in left field here but I'm not holding Gentoo |
| 48 |
responsible for software they didn't write. |
| 49 |
|
| 50 |
> What I propose to do (pick the low hanging fruit): |
| 51 |
> 1) Add stack protector and and any similar 'features' stable in hardened |
| 52 |
> to the default CLFAGS of the gentoo install/profiles. By stable I mean |
| 53 |
> things which do not break the majority of functionality. |
| 54 |
|
| 55 |
Feel free to take on the ownership of making this work on every arch's |
| 56 |
toolchain then. Also feel free to deal with all upstream authors who |
| 57 |
start instantly dismissing any bugs from Gentoo due to the fact that the |
| 58 |
toolchain is quite modified to accomplish this task. Take the current |
| 59 |
stance the GAIM team has with us as an example of what would be to come. |
| 60 |
|
| 61 |
> 2) broken ebuilds can filter-flags until fixed (better approach since |
| 62 |
> you are only fixing up ebuilds for broken stuff and may also prompt the |
| 63 |
> devs to try and make the protection work). |
| 64 |
|
| 65 |
The protection itself is a work-around to the original problem. You want |
| 66 |
to continue to work around the problem even more? |
| 67 |
|
| 68 |
> 3) People who prefer not to be protected can remove the settings from |
| 69 |
> their CFLAGS |
| 70 |
|
| 71 |
Personally, I don't think opting out is the way to do this. Having CFLAGS |
| 72 |
that are in by default that may or may not work across all architectures |
| 73 |
is not a good thing. |
| 74 |
|
| 75 |
> 4) get stuff virus, spam, etc protection functional and leveraged into |
| 76 |
> the defaults in other words turn on those USE flags in the standard |
| 77 |
> profiles |
| 78 |
|
| 79 |
No thanks. I don't want to have to spend the first 24 hours or so of |
| 80 |
using my new"trusted" operating system opting out of all of the overly |
| 81 |
paranoid defaults. If I'm looking for a high level of security out of the |
| 82 |
box, I'll use hardened or OpenBSD. |
| 83 |
|
| 84 |
> A personal opinion: |
| 85 |
> Anyone who thinks that a speed tradeoff is too much for better |
| 86 |
> protection is crazy. Do us all a favor and play a go night of russian |
| 87 |
> roulette by yourself to get your thrills. |
| 88 |
|
| 89 |
OK seriously, this kind of comment isn't needed. I'm not sure what you |
| 90 |
hoped to have accomplished by it, but I'm fairly sure it didn't work. |
| 91 |
|
| 92 |
As anyone who has spent 5 minutes in the security world knows, there's a |
| 93 |
fine line between good security and paranoia. You can lock your system |
| 94 |
down to high heaven and be sure that people won't get into it, but then |
| 95 |
you won't be able to do a damn thing either. What good is that? |
| 96 |
|
| 97 |
Right now I have a choice to use these features if I want to. I don't |
| 98 |
have to "opt-out" and I would rather keep it that way. The support |
| 99 |
nightmare this will create is not worth the potential advantages. |
| 100 |
|
| 101 |
> There's more to be said on security but I feel too lazy right now to |
| 102 |
> type it so if this isn't convinving you let us know. |
| 103 |
|
| 104 |
And as this list has shown historically, we can all argue security to high |
| 105 |
heaven with each party feeling they have the right answer and never |
| 106 |
accomplish anything. |
| 107 |
|
| 108 |
Now please don't get me wrong. As someone who's day job is in the |
| 109 |
security field, I very much like and appreciate the efforts that have gone |
| 110 |
into making secure toolchains and hardened systems a reality in Gentoo. |
| 111 |
In some cases I do use them as well. |
| 112 |
|
| 113 |
However, I do not believe it is our place nor our job to make that choice |
| 114 |
for our users. You cannot protect people from themselves, regardless of |
| 115 |
the perceived benefits. |
| 116 |
|
| 117 |
Regards, |
| 118 |
-- |
| 119 |
Jason Wever |
| 120 |
Gentoo/Sparc Team Co-Lead |
Archives