1 |
On 24/06/2015 14:23, behrouz khosravi wrote: |
2 |
> |
3 |
> Here's some good advice: |
4 |
> |
5 |
> Don't do that. See below. |
6 |
> |
7 |
> |
8 |
> Oops! I have done it and I am happy so far ! |
9 |
|
10 |
Wait a little longer :-) |
11 |
|
12 |
I predict within 2 weeks you'll be posting back about some completely |
13 |
baffling problem and we'll have a huge thread to help fix it for you. |
14 |
But such id how mailing lists work. |
15 |
|
16 |
Keep Q's advice in mind - when posting, *always* state up front in caps |
17 |
that you have over-ridden USE |
18 |
|
19 |
> |
20 |
> That's a bit of a nonsensical line of thought, as what you think you |
21 |
> want doesn't really exist. |
22 |
> |
23 |
> |
24 |
> I think you misunderstood me! for example adding CPU specific flags is a |
25 |
> good idea right? |
26 |
|
27 |
Getting your flags right for your CPU is always a very good idea, it's |
28 |
one of the main things Gentoo is built for. Binary distros can't easily |
29 |
do this for you (way too many variations) but a source-distro like |
30 |
Gentoo can do it with ease. |
31 |
|
32 |
It is a very good example of where a source distro truly shines and a |
33 |
valid case of optimizing your binaries. It's the exact opposite of ricing. |
34 |
|
35 |
> I meant something like that. For example is it wise to enable opengl |
36 |
> flag globally ? is it helpful to do so? |
37 |
|
38 |
If you need opengl, enable it. |
39 |
If you don't need opengl, disable it. |
40 |
If you have some softare that *requires* opengl to work, well then you |
41 |
better enable it. |
42 |
|
43 |
There's no correct answer to your question, you should instead be asking |
44 |
"Do I need and/or want opengl?" and before that ask "What is opengl anyway?" |
45 |
|
46 |
No doubt a bunch of folks will weigh in here telling you why opengl |
47 |
is/isn't an awesome idea. But you still have to ask and answer those |
48 |
questions for yourself. |
49 |
|
50 |
> |
51 |
> |
52 |
> > What do you recommend ? |
53 |
> |
54 |
> DO NOT SET "USE=-*" |
55 |
> |
56 |
> |
57 |
> As I said before I have done it and I totally recommend it to anyone |
58 |
> interested to get a better understanding of user land. |
59 |
|
60 |
For experts, yes. |
61 |
|
62 |
To be blunt, you are not an expert, not even close. |
63 |
|
64 |
But hey, it's your system and your time you'll expend. If you break it, |
65 |
you get to keep all the little tiny shards. |
66 |
|
67 |
> |
68 |
> |
69 |
> |
70 |
> Pick a profile that suits what you want to use the computer for. |
71 |
> |
72 |
> You have a desktop? Pick a suitable desktop profile. Don't pick a KDE |
73 |
> one unless oyu use KDE for instance (all that does is set some KDE flags |
74 |
> (like semantic-desktop or baloo or whatever they call it now) and force |
75 |
> some KDE packages to be merged. It doesn't change the underlying way |
76 |
> things work. |
77 |
> |
78 |
> |
79 |
> desktop profiles are very big for my taste. In fact I have been using |
80 |
> KDE for about a year on the default (basic) profile. |
81 |
> I have compiled the KDE with KDE profile and I have witnessed the |
82 |
> differences with my own eyes. |
83 |
|
84 |
And what difference is that? There is very little difference between a |
85 |
desktop profile with KDE installed, and a KDE profile that includes KDE. |
86 |
|
87 |
I have firefox installed. It runs. There isn't a "firefox profile" but |
88 |
if there was, I expect to see very little difference between that and |
89 |
what I currently have. |
90 |
|
91 |
Unless you are complaining about a profile that emerged every known KDE |
92 |
app under the sun, when what you actually wanted was just the few KDE |
93 |
apps you really use minus all the semantic desktop and akonadi fluff. |
94 |
There's a huge difference there. That's how my main machine is set up, |
95 |
and why I don't use the KDE profile. |
96 |
|
97 |
> |
98 |
> |
99 |
> I very much doubt you can "increase security" by picking some USE flags. |
100 |
> There is no |
101 |
> USE="open-me-up-to-the-world" |
102 |
> or |
103 |
> USE="rock-solid-nsa-proff-tight" |
104 |
> USE flags :-) |
105 |
> |
106 |
> So what security features do you need or want? |
107 |
> Figure that out and then set the system up to provide that. You will get |
108 |
> what you want. |
109 |
> |
110 |
> Well I know there is no USE flag like that! I am not that stupid but I |
111 |
> remember that I have read somewhere(unfortunately I dont remember where) |
112 |
> that disabling some use flags will degrade the security of system. |
113 |
|
114 |
Of course that can happen, but it's nowhere near as simple as you imply. |
115 |
|
116 |
As with everything else in life, the truth is always considerably more |
117 |
complex than you think. USE does not enable or disable security. USE |
118 |
enables or disables specific features in software, usually features that |
119 |
are configured at build time. |
120 |
|
121 |
These features can have side-effects that relate to security. Or to |
122 |
accessibility. Or to look and feel. Or to semantic desktop fluff. Or to |
123 |
the ability to print. Or to any other aspect of software you care to |
124 |
mention. |
125 |
|
126 |
Take for example PAM - that's a security-related optional feature. You |
127 |
can disable it entirely if you like but then you lose the security |
128 |
features of PAM (specifically, the ability to specify exactly how you |
129 |
want authentication and authorization to be done leaving you only with |
130 |
the basic username/password scheme). Maybe you want that, maybe you |
131 |
don't. But nobody can tell you that the setting of the USE flag will |
132 |
improve or degrade your security stance. |
133 |
|
134 |
It's just not that simple. |
135 |
|
136 |
You have to look at the flag, and understand what it means. Then look at |
137 |
the software that uses it and understand what difference it makes *to |
138 |
that software*. Then decide what the impact of those differences are |
139 |
going to be *in your case*. And every case is different. |
140 |
|
141 |
|
142 |
-- |
143 |
Alan McKinnon |
144 |
alan.mckinnon@×××××.com |