Gentoo Archives: gentoo-hardened

From: Jerome Brown <jerome@××××××.nz>
To: gentoo-hardened@g.o
Subject: [gentoo-hardened] My Thoughts
Date: Thu, 20 Mar 2003 03:45:59
Message-Id: 88B52F24E9F43D418C30A998C19B5C80032A1F@ats-sbs01.ATS.co.nz
1 A few thoughts from my point of view...
2
3 Is there a ground of support for some of the security options that have
4 been circulated in the forums - e.g. having the ability to apply patches
5 to software without having to upgrade to a newer version, and to do so
6 with an 'emerge -u world' style command? This to me seems to be
7 something that would go hand in hand with the Hardened aspect that is
8 being worked on. I have heard of a number of frustrations from
9 administrators who would like to be able to update their packages with
10 the necessary security/bug patches without upgrading to the new version.
11 I feel that this could be incorporated within the current release system
12 (-rXX), with an option within something like make.conf that specified
13 not to upgrade a major release (i.e. a change in the x.y.z notation).
14 This may mean that some of the current -r numbering needs to be looked
15 at, as the best example that I have of the distributors package
16 numbering being changed without the Gentoo package number being changed
17 is the 2.4.19 gentoo-sources, where the sources prior to 2.4.19-r7 are
18 all 2.4.18 based. This caused me lots of confusion as the 2.4.19 stock
19 kernel's implementation of Highpoint/Promise raid broke.
20
21 I know that everyone thinks that the administrator should keep up with
22 bugs via the GLSA's etc, and I agree completely. However I also feel
23 that if it is made easy for Gentoo users to update with _all_ security
24 patches, the Hardened options would be that much more attractive.
25
26 The other question that I had is, with regards to chroot()ing services,
27 are there going to be separate 'hardened' ebuilds for these, or will
28 they incorporate the chroot() option as a USE flag, and the ebuild puts
29 files in a different location, with a different setup than for the
30 default install. I see both of these options as having their advantages
31 and drawbacks, and both have the potential to get very messy.
32
33 Just my 2c. I welcome comments/discussions/disagreements, but no flames
34 please :)
35
36
37 Jerome Brown
38 Systems Administrator
39 Ashburton Trading Society
40 97 Burnett Street
41 PO Box 131
42 Ashburton
43 Ph: +64 3 308-1306
44 Fax: +64 3 308-1308
45 Email: jerome@××××××.nz
46 --------------------------------------------
47 "There is no 'patch' for stupidity"
48
49 --
50 gentoo-hardened@g.o mailing list

Replies