1 |
Hi Ned, |
2 |
|
3 |
(Whoops, accidentally posted from my work email address before.) |
4 |
|
5 |
> We Hardened/Gentoo are short staffed at the moment.. |
6 |
> Not about to go KABOOM.. |
7 |
|
8 |
Ah, good. I was worried for a little there :) I don't monitor the hardened |
9 |
list very closely, so seeing messages all titled 'Keeping gentoo-hardened |
10 |
alive' was a bit concerning. |
11 |
|
12 |
> I'd actually like to talk with you more about the Hardened-QA topic |
13 |
> later if we could. |
14 |
|
15 |
No problems. My background in QA is primarily regression testing and code |
16 |
quality reviews (although it's been ages since I've done any of this with |
17 |
C) - my formal methods background is formal specification, model checking, |
18 |
theorem proving, and formal derivation of code from formal specification. |
19 |
(Yes, I'm a recovering academic :) |
20 |
|
21 |
Please feel free to contact me off list if you want more specifics. |
22 |
|
23 |
> It pretty much is covered. I've got a few hardened tinderboxes running |
24 |
> to test these various setups. |
25 |
|
26 |
I'd thought as much, but I wasn't sure how well resourced Hardened was |
27 |
compared to the main Gentoo efforts. |
28 |
|
29 |
> Feel free to review hardened-toolchain.xml |
30 |
|
31 |
Okay, I'll give it a look over for clarity later today. I'll summarise any |
32 |
changes I'd like to make and send it to you off-list, okay? |
33 |
|
34 |
> Go take a peek at bugzilla and see if there are any open bugs related to |
35 |
> hardened with are BOGUS, or can be resolved. If you have some tips for |
36 |
> others. Perhaps offer them. |
37 |
|
38 |
I can do that. |
39 |
|
40 |
> "How can I best use my existing skills to make the hardened project a |
41 |
> little more kickass?" |
42 |
|
43 |
Hmm, that's a good way to put it. I'd have to say my main day-to-day peeve is |
44 |
the lack of PaX considerations in a number of key projects in the Portage |
45 |
tree. (Wine and Mono especially.) I've written ebuilds before for private |
46 |
use - perhaps it's time I started submitted patches for existing projects. |
47 |
|
48 |
More blue-sky things are getting Coverity to apply their automated code |
49 |
quality analysis tools to the 2.6 kernel sources with the hardened Gentoo |
50 |
patchset applied - I'm sure getting the project registered with them wouldn't |
51 |
be too hard, and it'd make maintaining code quality in the patchset easier. |
52 |
(An course of action for Hardened-QA, perhaps?) |
53 |
|
54 |
While I'm dreaming I'd also like to do something about making GRSEC easier to |
55 |
set up (an upstream issue, I know) as it has so much promise, and the basic |
56 |
configuration isn't nearly as paranoid as I'd like it to be :) and it's very |
57 |
difficult and time-consuming to make it so. I gave up doing so, and I like to |
58 |
think I'm not a complete n00b. PaX, PIE and SSP are practically |
59 |
fire-and-forget in comparison. |
60 |
|
61 |
Speaking of PaX, another great, impossible thing would be to have a |
62 |
kernel-level feature for handling PaX violations in a less violent manner |
63 |
(core dumps are violent, in my mind) - perhaps suspension of the process in |
64 |
question until investigated, with the possibility of resumption or |
65 |
termination by someone with sufficient security permissions. (Perhaps I'm |
66 |
just unaware of an already existing feature.) Again, an upstream issue. |
67 |
|
68 |
Let's see how many little things I get done first, shall we? :) |
69 |
|
70 |
On Tue, 12 Feb 2008, Ned Ludd wrote: |
71 |
> On Tue, 2008-02-12 at 11:15 +1000, Geoff Kassel wrote: |
72 |
> > Another wagon jumper here :) |
73 |
> > |
74 |
> > My fledgling hosting and software development business is based on |
75 |
> > hardened Gentoo, so I'd hate to see this project die. |
76 |
> |
77 |
> I work for a rather large online game hosting company and we also rely |
78 |
> heavily on the use of hardened for nearly all DIA facing nodes. I've |
79 |
> gone out of my way to make sure it's stable for what we need. No matter |
80 |
> what I'll be maintaining something somewhere and I'm always willing to |
81 |
> share my work, which should work for ~90% of all enterprise cases. So |
82 |
> don't worry there. We Hardened/Gentoo are short staffed at the moment.. |
83 |
> Not about to go KABOOM.. |
84 |
> |
85 |
> Anyway my biggest problem is I lack the time to test user configurations |
86 |
> of services in bugzilla. That's alot of work! And many times people are |
87 |
> reporting whats already been fixed elsewhere. Another one of my biggest |
88 |
> problems is I fix something locally and forget that it never got pushed |
89 |
> to the tree. So when I sometimes see bugs in zilla I simply ignore them |
90 |
> because in my mind I think they are non problem. |
91 |
> |
92 |
> > I'm quite time and money poor as |
93 |
> > a new business owner, |
94 |
> |
95 |
> Hey don't worry there. This is not a finical problem or a lack of |
96 |
> hardware. As well as a dev I'm also a sponsor to Gentoo of many of it's |
97 |
> core infrastructure boxes. (10G backbone to 1G IBM Blades) |
98 |
> |
99 |
> > but I have a fair skill set to offer when I do get |
100 |
> > time. I'm a reasonably experienced Python, PHP, and C programmer. |
101 |
> > (Although my C is a bit rusty, having lost ground to the others through |
102 |
> > under use.) |
103 |
> > |
104 |
> > |
105 |
> > I've got a formal methods and QA background, if that's useful in any way. |
106 |
> |
107 |
> Hell fscking yeah it is. |
108 |
> |
109 |
> I'd actually like to talk with you more about the Hardened-QA topic |
110 |
> later if we could. |
111 |
> |
112 |
> > I'm |
113 |
> > handy with VMWare, so I can test experimental kernels and Portage trees, |
114 |
> > if that's not already covered by a build farm elsewhere. |
115 |
> |
116 |
> It pretty much is covered. I've got a few hardened tinderboxes running |
117 |
> to test these various setups. |
118 |
> * hardened/amd64/multilib |
119 |
> * hardened/ia64 |
120 |
> * hardened/ppc |
121 |
> * hardened/x86 |
122 |
> |
123 |
> http://tinderbox.dev.gentoo.org/html/ |
124 |
> |
125 |
> > I'm reasonably |
126 |
> > literate, if documentation needs to be written or revised. |
127 |
> |
128 |
> Yeah actually that might be a good idea. |
129 |
> Feel free to review hardened-toolchain.xml |
130 |
> |
131 |
> > Is there a way the time-poor can help out? I can immediately offer some |
132 |
> > hosting, if that's not already covered by the Gentoo Foundation - |
133 |
> > monetary donations are probably a few months away. (Is there a way to |
134 |
> > donate specifically to the hardened project, by the way?) I can also |
135 |
> > offer some CPU time on two mid-range hardened Gentoo servers with shared |
136 |
> > storage in a high-availability data centre in Australia for compilation |
137 |
> > nodes, if that's any use. |
138 |
> |
139 |
> Not needed. As noted the game hosting provider I'm affiliated with has |
140 |
> spare 632 blades across 75 chassis at the moment that are all Dual and |
141 |
> Quad Core. I rarely ever need more than 2 per datacenter. |
142 |
> |
143 |
> > How may I be of assistance? |
144 |
> |
145 |
> Go take a peek at bugzilla and see if there are any open bugs related to |
146 |
> hardened with are BOGUS, or can be resolved. If you have some tips for |
147 |
> others. Perhaps offer them. |
148 |
> Or.. |
149 |
> Well other than asking how you can help.. How about trying to look at it |
150 |
> from a perspective of. |
151 |
> "How can I best use my existing skills to make the hardened project a |
152 |
> little more kickass?" |
153 |
> |
154 |
> > Kind regards, |
155 |
> > |
156 |
> > Geoff Kassel. |
157 |
> > |
158 |
> > On Tue, 12 Feb 2008, Asaf Gery wrote: |
159 |
> > > OK, |
160 |
> > > I would also jump on this wagon... :-) |
161 |
> > > My experience with C is minimal, although I do have some. I have years |
162 |
> > > of experience with Java, I love Linux in general and specifically |
163 |
> > > Gentoo. How can I support the effort? |
164 |
> > > Asaf |
165 |
> > > |
166 |
> > > On Feb 11, 2008 8:21 PM, Mateusz Mierzwinski <mateuszmierzwinski@××.pl> |
167 |
> > > |
168 |
> > > wrote: |
169 |
> > > > RB pisze: |
170 |
> > > > >> help? Know this, you are not alone. |
171 |
> > > > > |
172 |
> > > > > Ditto. I'm not always the sharpest tool in the shed or have the |
173 |
> > > > > greatest C skills, but am willing to help with whatever is needed. |
174 |
> > > > > I've even considered devship (and been "recruited"), but was unsure |
175 |
> > > > > I wanted to join in the politics and whether my existing |
176 |
> > > > > contributions were... sufficient. |
177 |
> > > > > |
178 |
> > > > > |
179 |
> > > > > RB |
180 |
> > > > |
181 |
> > > > Hi! I have C programming experience and I can help. Still got some |
182 |
> > > > work, but I can wrote some code in free time ;). |
183 |
> > > > |
184 |
> > > > Mateusz M. |
185 |
> > > > -- |
186 |
> > > > gentoo-hardened@l.g.o mailing list |
187 |
-- |
188 |
gentoo-hardened@l.g.o mailing list |