1 |
First, thanks for the pointers. See below |
2 |
|
3 |
On Tue, Jul 11, 2006 at 07:08:52PM -0700, Penguin Lover Richard Fish squawked: |
4 |
> On 7/11/06, Willie Wong <wwong@×××××××××.edu> wrote: |
5 |
> > 2. Is there more information about what "more harm than good" means? |
6 |
> > I tried googling but the only thing I found was a commit log on |
7 |
> > solar's website with a one-liner about p.masking nvidia-kernel. I |
8 |
> > want to know what kind of problems that nvidia drivers incur so I |
9 |
> > can decided whether to give up 3D acceleration, the hardened |
10 |
> > profile, or ignore solar's advice and unmask the packages. |
11 |
> |
12 |
> Well, see what the hardened handbook has to say about binary drivers and |
13 |
> x.org: |
14 |
> http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml#doc_chap4 |
15 |
|
16 |
Well, that page is rather outdated. I am pretty sure nvidia-glx |
17 |
supports dlloader since several versions back (at least since summer |
18 |
of last year): after all, I've been running it. There were some |
19 |
hiccups early on when I first started using it (several programs I |
20 |
often use, such as ut2004 and mplayer requires chpax/paxctl to turn |
21 |
off MPROTECT and RANDEXEC), but it has been running well on my system. |
22 |
> |
23 |
> I also found this bug: |
24 |
> http://bugs.gentoo.org/show_bug.cgi?id=139047 |
25 |
|
26 |
The attitude expressed in that bug is also the point made on the |
27 |
gentoo-hardened mailing list (I did a search on gmane after sending |
28 |
out my original e-mail). Basically it seems that the devs attitude is |
29 |
that "the driver is binary, we can't fix it if it is broken, so we |
30 |
won't support it." And I am completely fine with that. But I remember |
31 |
one year ago them telling us to use dlloader and to use binary drivers |
32 |
at our own risk, I am wondering if anyone here knows why the sudden |
33 |
change in attitude into "I am telling you not to use nvidia binary |
34 |
drivers", namely, if there is any new found incompatibility of |
35 |
nvidia-drivers with the hardened profile. |
36 |
|
37 |
> There may also be a valid security concern with binary-only kernel |
38 |
> modules: since they cannot be audited for security, one should assume |
39 |
> that they are horribly insecure. Any exploit here could comprimise |
40 |
> the entire system, so one could argue they are totally inappropriate |
41 |
> for a 'hardened' system. |
42 |
|
43 |
Yes, I took on that risk when I started running a hardened desktop |
44 |
with nvidia binary drivers. What I am most interested is what new |
45 |
significant flaws (if any) were found in the binary drivers that makes |
46 |
its use such taboo. |
47 |
|
48 |
Furthermore, I thought one of the things that the hardened team were |
49 |
less happy about is not so much the binary kernel driver, but the |
50 |
libGL.so nvidia provides... basically any program that uses opengl |
51 |
that links against the nvidia-glx would need to have certain PAX flags |
52 |
turned off to run without being killed by the kernel. |
53 |
|
54 |
I am beginning to sense the situation is more along the line of the |
55 |
devs formalizing the policy of not supporting binary drivers and |
56 |
telling users to stop bothering them with bugs they cannot do anything |
57 |
about. If that is indeed the case, I'd simply unmask the offending |
58 |
packages and deal with them myself. |
59 |
> |
60 |
> > 3. Is this (the fact that I am running a hardened profile) the reason |
61 |
> > that if I 'emerge --pretend --update xorg-x11 --verbose', among the |
62 |
> > list of VIDEO_CARDS options displayed, I do not see nvidia? |
63 |
> |
64 |
> That is correct. video_cards_nvidia is in the hardened profile's use.mask. |
65 |
> |
66 |
|
67 |
I looked at man portage, and I am not quite sure about this: |
68 |
|
69 |
Is it possible to unmask the useflag by, for example, writing to |
70 |
/etc/portage/use.mask the line "-video_cards_nvidia"? Or must I modify |
71 |
/etc/make.profile/use.mask? |
72 |
|
73 |
thx |
74 |
|
75 |
W |
76 |
-- |
77 |
Sortir en Pantoufles: up 11:25 |
78 |
-- |
79 |
gentoo-user@g.o mailing list |