Gentoo Archives: gentoo-hardened

From: Kerin Millar <kerframil@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Hardened profile update
Date: Wed, 30 Sep 2009 10:47:52
Message-Id: 279fbba40909300347s4afea3b1qb4ce740c81702f02@mail.gmail.com
In Reply to: Re: [gentoo-hardened] Hardened profile update by Ed W
2009/9/30 Ed W <lists@××××××××××.com>:
> Gordon Malm wrote: >> >> It is my estimation that flag was disabled by mistake on the >> hardened/linux/${arch} profiles.  I have re-enabled it.  Should be fixed on >> your next sync. >> >> > > > Quick question and slightly OT > > How do others setup their own "profile"? > > I'm thinking that I try to sync a base /etc/make.conf across quite a few > machines and whilst each machine slightly customises this, it would be > really nice to have a master set of USE defaults and package.use / > package.keywords options > > I presume one needs to simply setup the profile somewhere outside of the > /portage directory and then reference it?  Any thing else needed other than > a "parent" file pointing back at the real base profile? > > Any other tips from others who do something like this?
Personally, I believe that gentoo has suffered from global USE flag bloat for a long time. It is unfortunate that aligning the hardened profile with the (nowadays complex) de-facto profile stack brings that problem over into the hardened camp as a side effect. If I had a penny for every obscure bug, block and obtuse manifestation of breakage for which I have assisted users with that can be attributed to the system complexity and fragility that results, I would probably be happily in retirement by now. What's more, packages still make sadly limited and, at times, questionable use of the pkginternal feature (IUSE="+gtk" in net-analyzer/wireshark being an example that I find particularly grating). Essentially, I see it as an unholy mess and have long since given up hope that there will ever be anything resembling a coherent and carefully considered policy. So, being confident as to my preferences and wishing to keep this policy area under my direct control, I have long since eschewed the profile-sourced defaults. Here's an example of how I go about it from one of my servers: USE_ORDER="env:pkg:conf:pkginternal" USE_CORE="cracklib hardened nptl pam pic readline ncurses unicode urandom zlib" USE="${USE_CORE} mmx mmxext sse sse2 sse3 sse4.1 pcre" The trick here is to drop "profile" from USE_ORDER (it is there by default). The 'core' flags there are essentially a slightly reduced version of those defined in the now deprecated profile. Frankly, even these constitute too many global flags for my taste, but there are some there which - after much deliberation - I determined should remain. This has rather more to do with the manner in which certain ebuilds work and the assumptions made on the part of their developers rather than what I deem as being 'safe'. Aside from that, I employ package.use extensively and often use comments to make it perfectly clear as to why a given flag has been switched on or off. Regarding "nls", as someone who requires only English language support, I find it to be almost useless. I say almost because, while it is not necessarily required, I would say that it is a reasonable default for php (some php applications require it). Why php still fails to make use of pkginternal is something I continue to find baffling. Cheers, --Kerin