1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
hi |
5 |
|
6 |
i also believe useing the USE="hard" attempt is the best way to do it, |
7 |
because then the user sets the "hard" use flag and can be sure all |
8 |
packages that support chroot,stack smashing etc will make use of this |
9 |
more secure options, as do mozilla/xchat etc if you have the "crypt" |
10 |
flag set |
11 |
|
12 |
tim |
13 |
|
14 |
|
15 |
Aaron Held wrote: |
16 |
| Jerome Brown wrote: |
17 |
| |
18 |
|> A few thoughts from my point of view... |
19 |
|> |
20 |
|> Is there a ground of support for some of the security options that have |
21 |
|> been circulated in the forums - e.g. having the ability to apply patches |
22 |
|> to software without having to upgrade to a newer version, and to do so |
23 |
|> with an 'emerge -u world' style command? This to me seems to be |
24 |
|> |
25 |
|> |
26 |
| something like emerge --security world that would just look for security |
27 |
| updates |
28 |
| |
29 |
|> The other question that I had is, with regards to chroot()ing services, |
30 |
|> are there going to be separate 'hardened' ebuilds for these, or will |
31 |
|> they incorporate the chroot() option as a USE flag, and the ebuild puts |
32 |
|> |
33 |
|> |
34 |
| I think this is what we should standardize on. It will be harder, but |
35 |
| we have to assume that the original ebuild author knows the app the |
36 |
| best, but maybe not how to chroot it. Maybe we could be a resource to |
37 |
| help tighten existing ebuilds as we come across them. |
38 |
| ebuilds are far from generic anyway, and thier advantage is the ability |
39 |
| to customize the source and install based on the USE flags. |
40 |
| |
41 |
|> Jerome Brown |
42 |
|> |
43 |
| -Aaron |
44 |
| |
45 |
|> |
46 |
|> |
47 |
| |
48 |
| |
49 |
| |
50 |
| -- |
51 |
| gentoo-hardened@g.o mailing list |
52 |
| |
53 |
| |
54 |
|
55 |
|
56 |
- -- |
57 |
What hath Bob wrought? |
58 |
-----BEGIN PGP SIGNATURE----- |
59 |
Version: GnuPG v1.2.1 (GNU/Linux) |
60 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
61 |
|
62 |
iD8DBQE+ebnlL6CZIBLe8PMRAjtHAJ9zb0iB1fHyQ+wVJMo4K9XJwfaL8ACfV3rg |
63 |
PVntmgrNiV2G7yHagFHP+lU= |
64 |
=BGOp |
65 |
-----END PGP SIGNATURE----- |
66 |
|
67 |
|
68 |
-- |
69 |
gentoo-hardened@g.o mailing list |