1 |
A few thoughts from my point of view... |
2 |
|
3 |
Is there a ground of support for some of the security options that have |
4 |
been circulated in the forums - e.g. having the ability to apply patches |
5 |
to software without having to upgrade to a newer version, and to do so |
6 |
with an 'emerge -u world' style command? This to me seems to be |
7 |
something that would go hand in hand with the Hardened aspect that is |
8 |
being worked on. I have heard of a number of frustrations from |
9 |
administrators who would like to be able to update their packages with |
10 |
the necessary security/bug patches without upgrading to the new version. |
11 |
I feel that this could be incorporated within the current release system |
12 |
(-rXX), with an option within something like make.conf that specified |
13 |
not to upgrade a major release (i.e. a change in the x.y.z notation). |
14 |
This may mean that some of the current -r numbering needs to be looked |
15 |
at, as the best example that I have of the distributors package |
16 |
numbering being changed without the Gentoo package number being changed |
17 |
is the 2.4.19 gentoo-sources, where the sources prior to 2.4.19-r7 are |
18 |
all 2.4.18 based. This caused me lots of confusion as the 2.4.19 stock |
19 |
kernel's implementation of Highpoint/Promise raid broke. |
20 |
|
21 |
I know that everyone thinks that the administrator should keep up with |
22 |
bugs via the GLSA's etc, and I agree completely. However I also feel |
23 |
that if it is made easy for Gentoo users to update with _all_ security |
24 |
patches, the Hardened options would be that much more attractive. |
25 |
|
26 |
The other question that I had is, with regards to chroot()ing services, |
27 |
are there going to be separate 'hardened' ebuilds for these, or will |
28 |
they incorporate the chroot() option as a USE flag, and the ebuild puts |
29 |
files in a different location, with a different setup than for the |
30 |
default install. I see both of these options as having their advantages |
31 |
and drawbacks, and both have the potential to get very messy. |
32 |
|
33 |
Just my 2c. I welcome comments/discussions/disagreements, but no flames |
34 |
please :) |
35 |
|
36 |
|
37 |
Jerome Brown |
38 |
Systems Administrator |
39 |
Ashburton Trading Society |
40 |
97 Burnett Street |
41 |
PO Box 131 |
42 |
Ashburton |
43 |
Ph: +64 3 308-1306 |
44 |
Fax: +64 3 308-1308 |
45 |
Email: jerome@××××××.nz |
46 |
-------------------------------------------- |
47 |
"There is no 'patch' for stupidity" |
48 |
|
49 |
-- |
50 |
gentoo-hardened@g.o mailing list |