1 |
On 07/04/17 01:12, Ста Деюс wrote: |
2 |
> Hi. |
3 |
> |
4 |
> I'm new to Gentoo, and before new installation on my PC, keep trying to |
5 |
> choose between system profiles. I want to use the PC as desktop, but am |
6 |
> concerned on security and minimalism. So, I would like to use the |
7 |
> hardened profile and then add the desktop packages, namely openbox w/o |
8 |
> any X-session managers -- just logging in w/ text console and then |
9 |
> startx. |
10 |
> |
11 |
> So, is my setup wise, or i miss something because do not know something |
12 |
> on the distro. regarding this points of installation? |
13 |
> |
14 |
> Thank you for your time, |
15 |
> Sthu. |
16 |
|
17 |
Minimalism does reduce attack surfaces, but on a workstation, if later |
18 |
on you want some complex and fancy software, often you have to start |
19 |
adding codes, flags and recompiling quite a lot. On specific task |
20 |
machines, I always go the minimal route, ymmv. I run lxde but it |
21 |
is morphing into lxqt (or at least that's what is commonly posted. |
22 |
I've run openbox and actually now use a mixture of codes to build up |
23 |
one minimized workstation, but it is a pita to get happy. |
24 |
|
25 |
W. Dnes is the king of minimalist here, so when he gives advise |
26 |
realize it has decades of experimentation to get to where he is on |
27 |
minimization. I've been hacking on codes for minimized Hi Performance |
28 |
Computing (HPC) gentoo style, but not ready to release anything as it is |
29 |
a moving target. "Unikernels" are my pathway forward but this path is a |
30 |
huge time sink... Caveat Emptor! |
31 |
|
32 |
|
33 |
Hardened is changing, do to the fact that the patches provided to the |
34 |
linux kernel team, are not being provided for free anymore. There is |
35 |
much angst as to the pathway forward. Much of the work is being carried |
36 |
forward in the kernel, compiler projects and some apps but what to do, |
37 |
post kernel 4.9.x is not clear for gentoo, atm. This thread by blueness |
38 |
on gentoo-dev is a good place to start reading, look in the archives:: |
39 |
|
40 |
[gentoo-dev] The status of grsecurity upstream and hardened-sources |
41 |
downstream |
42 |
|
43 |
|
44 |
Here's the [thread]intro:: |
45 |
|
46 |
|
47 |
"Since late April, grsecurity upstream has stop making their patches |
48 |
available publicly. Without going into details, the reason for their |
49 |
decision revolves around disputes about how their patches were being |
50 |
(ab)used. |
51 |
|
52 |
Since the grsecurity patch formed the main core of our hardened-sources |
53 |
kernel, their decision has serious repercussions for the Hardened Gentoo |
54 |
project. I will no longer be able to support hardened-sources and will |
55 |
have to eventually mask and remove it from the tree. |
56 |
|
57 |
Hardened Gentoo has two sides to it, kernel hardening (done via |
58 |
hardened-sources) and toolchain/executable hardening. The two are |
59 |
interrelated but independent enough that toolchain hardening can |
60 |
continue on its own. The hardened kernel, however, provided PaX |
61 |
protection for executables and this will be lost. We did a lot of work |
62 |
to properly maintain PaX markings in our package management system and |
63 |
there was no part of Gentoo that wasn't touched by issues stemming from |
64 |
PaX support. |
65 |
|
66 |
I waited two months before saying anything because the reasons were more |
67 |
of a political nature than some technical issue. At this point, I think |
68 |
its time to let the community know about the state of affairs with |
69 |
hardened-sources. |
70 |
|
71 |
I can no longer get into the #grsecurity/OFTC channel (nothing personal, |
72 |
they kicked everyone), and so I have not spoken to spengler or pipacs. |
73 |
I don't know if they will ever release grsecurity patches again. |
74 |
|
75 |
My plan then is as follows. I'll wait one more month and then send out |
76 |
a news item and later mask hardened-sources for removal. I don't |
77 |
recommend we remove any of the machinery from Gentoo that deals with PaX |
78 |
markings. " |
79 |
|
80 |
|
81 |
Personally, I'd suggest following Anthony (blueness) as to the |
82 |
gentoo-hardened pathway forward, but surely others in the extended |
83 |
gentoo community are surefooted with gentoo security. (Pentoo) might be |
84 |
of interest as a workstation pathway forward.... If you cannot block them, |
85 |
join them....? |
86 |
|
87 |
;-) |
88 |
|
89 |
|
90 |
hth, |
91 |
James |
92 |
|
93 |
|
94 |
And more links for your convenience:: |
95 |
|
96 |
https://www.theregister.co.uk/2015/08/27/grsecurity |
97 |
|
98 |
https://www.wilderssecurity.com/threads/grsecurity-patches-going-private.393068/ |
99 |
|
100 |
https://lwn.net/Articles/662219/ |
101 |
|
102 |
https://lwn.net/Articles/698891/ |
103 |
|
104 |
https://grsecurity.net/compare.php |
105 |
|
106 |
https://www.theregister.co.uk/2015/08/27/grsecurity |