| 1 |
Hi Ned, |
| 2 |
|
| 3 |
(Whoops, accidentally posted from my work email address before.) |
| 4 |
|
| 5 |
> We Hardened/Gentoo are short staffed at the moment.. |
| 6 |
> Not about to go KABOOM.. |
| 7 |
|
| 8 |
Ah, good. I was worried for a little there :) I don't monitor the hardened |
| 9 |
list very closely, so seeing messages all titled 'Keeping gentoo-hardened |
| 10 |
alive' was a bit concerning. |
| 11 |
|
| 12 |
> I'd actually like to talk with you more about the Hardened-QA topic |
| 13 |
> later if we could. |
| 14 |
|
| 15 |
No problems. My background in QA is primarily regression testing and code |
| 16 |
quality reviews (although it's been ages since I've done any of this with |
| 17 |
C) - my formal methods background is formal specification, model checking, |
| 18 |
theorem proving, and formal derivation of code from formal specification. |
| 19 |
(Yes, I'm a recovering academic :) |
| 20 |
|
| 21 |
Please feel free to contact me off list if you want more specifics. |
| 22 |
|
| 23 |
> It pretty much is covered. I've got a few hardened tinderboxes running |
| 24 |
> to test these various setups. |
| 25 |
|
| 26 |
I'd thought as much, but I wasn't sure how well resourced Hardened was |
| 27 |
compared to the main Gentoo efforts. |
| 28 |
|
| 29 |
> Feel free to review hardened-toolchain.xml |
| 30 |
|
| 31 |
Okay, I'll give it a look over for clarity later today. I'll summarise any |
| 32 |
changes I'd like to make and send it to you off-list, okay? |
| 33 |
|
| 34 |
> Go take a peek at bugzilla and see if there are any open bugs related to |
| 35 |
> hardened with are BOGUS, or can be resolved. If you have some tips for |
| 36 |
> others. Perhaps offer them. |
| 37 |
|
| 38 |
I can do that. |
| 39 |
|
| 40 |
> "How can I best use my existing skills to make the hardened project a |
| 41 |
> little more kickass?" |
| 42 |
|
| 43 |
Hmm, that's a good way to put it. I'd have to say my main day-to-day peeve is |
| 44 |
the lack of PaX considerations in a number of key projects in the Portage |
| 45 |
tree. (Wine and Mono especially.) I've written ebuilds before for private |
| 46 |
use - perhaps it's time I started submitted patches for existing projects. |
| 47 |
|
| 48 |
More blue-sky things are getting Coverity to apply their automated code |
| 49 |
quality analysis tools to the 2.6 kernel sources with the hardened Gentoo |
| 50 |
patchset applied - I'm sure getting the project registered with them wouldn't |
| 51 |
be too hard, and it'd make maintaining code quality in the patchset easier. |
| 52 |
(An course of action for Hardened-QA, perhaps?) |
| 53 |
|
| 54 |
While I'm dreaming I'd also like to do something about making GRSEC easier to |
| 55 |
set up (an upstream issue, I know) as it has so much promise, and the basic |
| 56 |
configuration isn't nearly as paranoid as I'd like it to be :) and it's very |
| 57 |
difficult and time-consuming to make it so. I gave up doing so, and I like to |
| 58 |
think I'm not a complete n00b. PaX, PIE and SSP are practically |
| 59 |
fire-and-forget in comparison. |
| 60 |
|
| 61 |
Speaking of PaX, another great, impossible thing would be to have a |
| 62 |
kernel-level feature for handling PaX violations in a less violent manner |
| 63 |
(core dumps are violent, in my mind) - perhaps suspension of the process in |
| 64 |
question until investigated, with the possibility of resumption or |
| 65 |
termination by someone with sufficient security permissions. (Perhaps I'm |
| 66 |
just unaware of an already existing feature.) Again, an upstream issue. |
| 67 |
|
| 68 |
Let's see how many little things I get done first, shall we? :) |
| 69 |
|
| 70 |
On Tue, 12 Feb 2008, Ned Ludd wrote: |
| 71 |
> On Tue, 2008-02-12 at 11:15 +1000, Geoff Kassel wrote: |
| 72 |
> > Another wagon jumper here :) |
| 73 |
> > |
| 74 |
> > My fledgling hosting and software development business is based on |
| 75 |
> > hardened Gentoo, so I'd hate to see this project die. |
| 76 |
> |
| 77 |
> I work for a rather large online game hosting company and we also rely |
| 78 |
> heavily on the use of hardened for nearly all DIA facing nodes. I've |
| 79 |
> gone out of my way to make sure it's stable for what we need. No matter |
| 80 |
> what I'll be maintaining something somewhere and I'm always willing to |
| 81 |
> share my work, which should work for ~90% of all enterprise cases. So |
| 82 |
> don't worry there. We Hardened/Gentoo are short staffed at the moment.. |
| 83 |
> Not about to go KABOOM.. |
| 84 |
> |
| 85 |
> Anyway my biggest problem is I lack the time to test user configurations |
| 86 |
> of services in bugzilla. That's alot of work! And many times people are |
| 87 |
> reporting whats already been fixed elsewhere. Another one of my biggest |
| 88 |
> problems is I fix something locally and forget that it never got pushed |
| 89 |
> to the tree. So when I sometimes see bugs in zilla I simply ignore them |
| 90 |
> because in my mind I think they are non problem. |
| 91 |
> |
| 92 |
> > I'm quite time and money poor as |
| 93 |
> > a new business owner, |
| 94 |
> |
| 95 |
> Hey don't worry there. This is not a finical problem or a lack of |
| 96 |
> hardware. As well as a dev I'm also a sponsor to Gentoo of many of it's |
| 97 |
> core infrastructure boxes. (10G backbone to 1G IBM Blades) |
| 98 |
> |
| 99 |
> > but I have a fair skill set to offer when I do get |
| 100 |
> > time. I'm a reasonably experienced Python, PHP, and C programmer. |
| 101 |
> > (Although my C is a bit rusty, having lost ground to the others through |
| 102 |
> > under use.) |
| 103 |
> > |
| 104 |
> > |
| 105 |
> > I've got a formal methods and QA background, if that's useful in any way. |
| 106 |
> |
| 107 |
> Hell fscking yeah it is. |
| 108 |
> |
| 109 |
> I'd actually like to talk with you more about the Hardened-QA topic |
| 110 |
> later if we could. |
| 111 |
> |
| 112 |
> > I'm |
| 113 |
> > handy with VMWare, so I can test experimental kernels and Portage trees, |
| 114 |
> > if that's not already covered by a build farm elsewhere. |
| 115 |
> |
| 116 |
> It pretty much is covered. I've got a few hardened tinderboxes running |
| 117 |
> to test these various setups. |
| 118 |
> * hardened/amd64/multilib |
| 119 |
> * hardened/ia64 |
| 120 |
> * hardened/ppc |
| 121 |
> * hardened/x86 |
| 122 |
> |
| 123 |
> http://tinderbox.dev.gentoo.org/html/ |
| 124 |
> |
| 125 |
> > I'm reasonably |
| 126 |
> > literate, if documentation needs to be written or revised. |
| 127 |
> |
| 128 |
> Yeah actually that might be a good idea. |
| 129 |
> Feel free to review hardened-toolchain.xml |
| 130 |
> |
| 131 |
> > Is there a way the time-poor can help out? I can immediately offer some |
| 132 |
> > hosting, if that's not already covered by the Gentoo Foundation - |
| 133 |
> > monetary donations are probably a few months away. (Is there a way to |
| 134 |
> > donate specifically to the hardened project, by the way?) I can also |
| 135 |
> > offer some CPU time on two mid-range hardened Gentoo servers with shared |
| 136 |
> > storage in a high-availability data centre in Australia for compilation |
| 137 |
> > nodes, if that's any use. |
| 138 |
> |
| 139 |
> Not needed. As noted the game hosting provider I'm affiliated with has |
| 140 |
> spare 632 blades across 75 chassis at the moment that are all Dual and |
| 141 |
> Quad Core. I rarely ever need more than 2 per datacenter. |
| 142 |
> |
| 143 |
> > How may I be of assistance? |
| 144 |
> |
| 145 |
> Go take a peek at bugzilla and see if there are any open bugs related to |
| 146 |
> hardened with are BOGUS, or can be resolved. If you have some tips for |
| 147 |
> others. Perhaps offer them. |
| 148 |
> Or.. |
| 149 |
> Well other than asking how you can help.. How about trying to look at it |
| 150 |
> from a perspective of. |
| 151 |
> "How can I best use my existing skills to make the hardened project a |
| 152 |
> little more kickass?" |
| 153 |
> |
| 154 |
> > Kind regards, |
| 155 |
> > |
| 156 |
> > Geoff Kassel. |
| 157 |
> > |
| 158 |
> > On Tue, 12 Feb 2008, Asaf Gery wrote: |
| 159 |
> > > OK, |
| 160 |
> > > I would also jump on this wagon... :-) |
| 161 |
> > > My experience with C is minimal, although I do have some. I have years |
| 162 |
> > > of experience with Java, I love Linux in general and specifically |
| 163 |
> > > Gentoo. How can I support the effort? |
| 164 |
> > > Asaf |
| 165 |
> > > |
| 166 |
> > > On Feb 11, 2008 8:21 PM, Mateusz Mierzwinski <mateuszmierzwinski@××.pl> |
| 167 |
> > > |
| 168 |
> > > wrote: |
| 169 |
> > > > RB pisze: |
| 170 |
> > > > >> help? Know this, you are not alone. |
| 171 |
> > > > > |
| 172 |
> > > > > Ditto. I'm not always the sharpest tool in the shed or have the |
| 173 |
> > > > > greatest C skills, but am willing to help with whatever is needed. |
| 174 |
> > > > > I've even considered devship (and been "recruited"), but was unsure |
| 175 |
> > > > > I wanted to join in the politics and whether my existing |
| 176 |
> > > > > contributions were... sufficient. |
| 177 |
> > > > > |
| 178 |
> > > > > |
| 179 |
> > > > > RB |
| 180 |
> > > > |
| 181 |
> > > > Hi! I have C programming experience and I can help. Still got some |
| 182 |
> > > > work, but I can wrote some code in free time ;). |
| 183 |
> > > > |
| 184 |
> > > > Mateusz M. |
| 185 |
> > > > -- |
| 186 |
> > > > gentoo-hardened@l.g.o mailing list |
| 187 |
-- |
| 188 |
gentoo-hardened@l.g.o mailing list |
Archives