1 |
On 21/02/2014 16:15, hasufell wrote: |
2 |
> Alan McKinnon: |
3 |
>> On 20/02/2014 22:41, Nicolas Sebrecht wrote: |
4 |
>>> On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko |
5 |
>>> wrote: |
6 |
>>> |
7 |
>>>> And this point is one of the highest security benefits in real |
8 |
>>>> world: one have non-standard binaries, not available in the |
9 |
>>>> wild. Most exploits will fail on such binaries even if |
10 |
>>>> vulnerability is still there. |
11 |
>>> |
12 |
>>> While excluding few security issues by compiling less code is |
13 |
>>> possible, believing that "non-standard binaries" (in the sense of |
14 |
>>> "compiled for with local compilation flags") gives more security |
15 |
>>> is a dangerous dream. |
16 |
>>> |
17 |
> |
18 |
> |
19 |
>> +1 |
20 |
> |
21 |
>> "non-standard binaries" is really just a special form of security |
22 |
>> by obscurity. |
23 |
> |
24 |
> So you are saying compiling a minimal kernel to minimize exposure to |
25 |
> subsystem bugs is only obscurity? (I really wonder what Greg would say |
26 |
> to this) |
27 |
|
28 |
No, I'm saying that I pay RedHat large sums of money to look after this |
29 |
on my behalf and that money is wasted if I build a custom kernel on that |
30 |
machine. |
31 |
|
32 |
RedHat has a vested interest in doing this right (it's the product they |
33 |
sell) and they have more engineering resources to apply to the problem |
34 |
than I can ever raise. The odds favour RedHat often getting this right |
35 |
and me often getting it wrong, simply because I don't have the unit |
36 |
testing facilities required and my employer doesn't employ OS builders. |
37 |
|
38 |
I won't permit Gentoo to be used in production here for precisely that |
39 |
reason - I can't provide the test guarantees the business and |
40 |
shareholders demand. |
41 |
|
42 |
|
43 |
> The argument that this particular setup may be less tested is a valid |
44 |
> one. But less tested also means less commonly known exploits and |
45 |
> testing these setups is a win-win for users and upstream. |
46 |
> |
47 |
> Whether you like it or not... whenever you install software on a |
48 |
> server, you become a tester at the same point. |
49 |
|
50 |
Proper testing carries a onerous burden. I've yet to find a enterprise |
51 |
anywhere in the world that does it right outside of their core business. |
52 |
Instead, they pay someone else to do it. |
53 |
|
54 |
-- |
55 |
Alan McKinnon |
56 |
alan.mckinnon@×××××.com |