| 1 |
First, thanks for the pointers. See below |
| 2 |
|
| 3 |
On Tue, Jul 11, 2006 at 07:08:52PM -0700, Penguin Lover Richard Fish squawked: |
| 4 |
> On 7/11/06, Willie Wong <wwong@×××××××××.edu> wrote: |
| 5 |
> > 2. Is there more information about what "more harm than good" means? |
| 6 |
> > I tried googling but the only thing I found was a commit log on |
| 7 |
> > solar's website with a one-liner about p.masking nvidia-kernel. I |
| 8 |
> > want to know what kind of problems that nvidia drivers incur so I |
| 9 |
> > can decided whether to give up 3D acceleration, the hardened |
| 10 |
> > profile, or ignore solar's advice and unmask the packages. |
| 11 |
> |
| 12 |
> Well, see what the hardened handbook has to say about binary drivers and |
| 13 |
> x.org: |
| 14 |
> http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml#doc_chap4 |
| 15 |
|
| 16 |
Well, that page is rather outdated. I am pretty sure nvidia-glx |
| 17 |
supports dlloader since several versions back (at least since summer |
| 18 |
of last year): after all, I've been running it. There were some |
| 19 |
hiccups early on when I first started using it (several programs I |
| 20 |
often use, such as ut2004 and mplayer requires chpax/paxctl to turn |
| 21 |
off MPROTECT and RANDEXEC), but it has been running well on my system. |
| 22 |
> |
| 23 |
> I also found this bug: |
| 24 |
> http://bugs.gentoo.org/show_bug.cgi?id=139047 |
| 25 |
|
| 26 |
The attitude expressed in that bug is also the point made on the |
| 27 |
gentoo-hardened mailing list (I did a search on gmane after sending |
| 28 |
out my original e-mail). Basically it seems that the devs attitude is |
| 29 |
that "the driver is binary, we can't fix it if it is broken, so we |
| 30 |
won't support it." And I am completely fine with that. But I remember |
| 31 |
one year ago them telling us to use dlloader and to use binary drivers |
| 32 |
at our own risk, I am wondering if anyone here knows why the sudden |
| 33 |
change in attitude into "I am telling you not to use nvidia binary |
| 34 |
drivers", namely, if there is any new found incompatibility of |
| 35 |
nvidia-drivers with the hardened profile. |
| 36 |
|
| 37 |
> There may also be a valid security concern with binary-only kernel |
| 38 |
> modules: since they cannot be audited for security, one should assume |
| 39 |
> that they are horribly insecure. Any exploit here could comprimise |
| 40 |
> the entire system, so one could argue they are totally inappropriate |
| 41 |
> for a 'hardened' system. |
| 42 |
|
| 43 |
Yes, I took on that risk when I started running a hardened desktop |
| 44 |
with nvidia binary drivers. What I am most interested is what new |
| 45 |
significant flaws (if any) were found in the binary drivers that makes |
| 46 |
its use such taboo. |
| 47 |
|
| 48 |
Furthermore, I thought one of the things that the hardened team were |
| 49 |
less happy about is not so much the binary kernel driver, but the |
| 50 |
libGL.so nvidia provides... basically any program that uses opengl |
| 51 |
that links against the nvidia-glx would need to have certain PAX flags |
| 52 |
turned off to run without being killed by the kernel. |
| 53 |
|
| 54 |
I am beginning to sense the situation is more along the line of the |
| 55 |
devs formalizing the policy of not supporting binary drivers and |
| 56 |
telling users to stop bothering them with bugs they cannot do anything |
| 57 |
about. If that is indeed the case, I'd simply unmask the offending |
| 58 |
packages and deal with them myself. |
| 59 |
> |
| 60 |
> > 3. Is this (the fact that I am running a hardened profile) the reason |
| 61 |
> > that if I 'emerge --pretend --update xorg-x11 --verbose', among the |
| 62 |
> > list of VIDEO_CARDS options displayed, I do not see nvidia? |
| 63 |
> |
| 64 |
> That is correct. video_cards_nvidia is in the hardened profile's use.mask. |
| 65 |
> |
| 66 |
|
| 67 |
I looked at man portage, and I am not quite sure about this: |
| 68 |
|
| 69 |
Is it possible to unmask the useflag by, for example, writing to |
| 70 |
/etc/portage/use.mask the line "-video_cards_nvidia"? Or must I modify |
| 71 |
/etc/make.profile/use.mask? |
| 72 |
|
| 73 |
thx |
| 74 |
|
| 75 |
W |
| 76 |
-- |
| 77 |
Sortir en Pantoufles: up 11:25 |
| 78 |
-- |
| 79 |
gentoo-user@g.o mailing list |
Archives