1 |
On Thu, 20 Feb 2014 11:29:52 +0100 Nicolas Sebrecht wrote: |
2 |
> The 20/02/14, Nilesh Govindrajan wrote: |
3 |
> |
4 |
> > Gentoo makes the best server os because it's a custom built os where the |
5 |
> > admin knows each and every aspect of the os. Security wise, there are no |
6 |
> > unwanted or unused stuff, so lesser bugs to deal with. |
7 |
> |
8 |
> While I agree with the "less code is less bug" argument, I disagree with |
9 |
> your point. |
10 |
> |
11 |
> Tuning softwares mean that the binaries compiled on a machine are less |
12 |
> used in the wild (other Gentoo systems have other hardware, enabled use |
13 |
> flags, etc). Hence, the binaries executed on you local server are likely |
14 |
> much less tested by others. |
15 |
|
16 |
And this point is one of the highest security benefits in real world: |
17 |
one have non-standard binaries, not available in the wild. Most |
18 |
exploits will fail on such binaries even if vulnerability is still |
19 |
there. This will cut-off most off automatic botnet attacks even |
20 |
without additional security measures like hardened setup, PaX or |
21 |
GRSecurity (yeah, I never trusted SELinux because of its main |
22 |
author: sane agency will never release a security tool which can be |
23 |
a hinder to this agency). Of course, if system is specifically |
24 |
targeted by qualified professionals, this will only hinder their |
25 |
approach, but binary based distributions will not provide any |
26 |
advantage here either. |
27 |
|
28 |
Best regards, |
29 |
Andrew Savchenko |