| 1 |
On Thu, 20 Feb 2014 11:29:52 +0100 Nicolas Sebrecht wrote: |
| 2 |
> The 20/02/14, Nilesh Govindrajan wrote: |
| 3 |
> |
| 4 |
> > Gentoo makes the best server os because it's a custom built os where the |
| 5 |
> > admin knows each and every aspect of the os. Security wise, there are no |
| 6 |
> > unwanted or unused stuff, so lesser bugs to deal with. |
| 7 |
> |
| 8 |
> While I agree with the "less code is less bug" argument, I disagree with |
| 9 |
> your point. |
| 10 |
> |
| 11 |
> Tuning softwares mean that the binaries compiled on a machine are less |
| 12 |
> used in the wild (other Gentoo systems have other hardware, enabled use |
| 13 |
> flags, etc). Hence, the binaries executed on you local server are likely |
| 14 |
> much less tested by others. |
| 15 |
|
| 16 |
And this point is one of the highest security benefits in real world: |
| 17 |
one have non-standard binaries, not available in the wild. Most |
| 18 |
exploits will fail on such binaries even if vulnerability is still |
| 19 |
there. This will cut-off most off automatic botnet attacks even |
| 20 |
without additional security measures like hardened setup, PaX or |
| 21 |
GRSecurity (yeah, I never trusted SELinux because of its main |
| 22 |
author: sane agency will never release a security tool which can be |
| 23 |
a hinder to this agency). Of course, if system is specifically |
| 24 |
targeted by qualified professionals, this will only hinder their |
| 25 |
approach, but binary based distributions will not provide any |
| 26 |
advantage here either. |
| 27 |
|
| 28 |
Best regards, |
| 29 |
Andrew Savchenko |
Archives