1 |
On 07/04/17 23:16, Walter Dnes wrote: |
2 |
> On Tue, Jul 04, 2017 at 01:37:38PM -0400, james wrote |
3 |
> |
4 |
>> W. Dnes is the king of minimalist here, so when he gives advise |
5 |
>> realize it has decades of experimentation to get to where he is on |
6 |
>> minimization. |
7 |
> |
8 |
> Not exactly "decades". I first started linux in late 1999 or early |
9 |
> 2000. The minimalist approach was a side-effect of me being cheap. |
10 |
> Even though I have a newer machine as my "hot backup" waiting in the |
11 |
> wings, I want to run my older machine into the ground first. 10 years |
12 |
> ago I was running a 450 mhz pentium3 with 256 megabytes of ram. Today |
13 |
> I'm running a 2008 Dell with Core2 Duo and 3 gigs of ram today. I have |
14 |
> a newer i6 with 8 gigs of ram as the hot backup. Running an older |
15 |
> limited machine forces you to optimize. The Gentoo USE flags give me |
16 |
> the control to do the utmost minimization. |
17 |
> |
18 |
> I run the plain default/linux profile, and ICEWM as my WM and no |
19 |
> "desktop environment" (as per my sig). The less attack surface, the |
20 |
> better. Do not run the Flash plugin or the Java plugin. If you |
21 |
> absolutely have to do so, use it inside a VM (e.g. QEMU). I have an |
22 |
> aggressive handcrafted iptables firewall. In addition, my little LAN |
23 |
> sits behind a NAT-ing router, and I disable UPNP. That covers my |
24 |
> approach to security. |
25 |
> |
26 |
> I run mostly stable, except where an app I want/need is only unstable. |
27 |
> Gentoo currently defaults to gcc-5.4.0. I've enabled 6.3.0. I have to |
28 |
> enable ICEWM 1.3.12-r1. The regular stable version built under gcc |
29 |
> 6.3.0 segfaults 1 or 2 seconds after starting. |
30 |
> |
31 |
> I used to run with USE="-* blah blah blah". I no longer do that, but |
32 |
> I aggressively disable USE flags, until something breaks, then I back |
33 |
> off. My current USE line (it's actually one long line)... |
34 |
> |
35 |
> USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg |
36 |
> threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium |
37 |
> -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6 |
38 |
> -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev |
39 |
> -udisks -unicode -xinerama" |
40 |
> |
41 |
> Some of the above is over-ridden in package.use. |
42 |
> |
43 |
|
44 |
Well, now that's a good summary (starting point) for a minimized gentoo |
45 |
system. The gentoo-devs have been discussing changes to the profiles, |
46 |
but I'm not certain where that has ended up. I just use the 'default' |
47 |
and go from there, or the simplest 'hardened' profile that is cpu |
48 |
relevant. I'm not sure of the most straight forward way to compare |
49 |
flag setting (the difference) between any two profiles for a new |
50 |
installer to examine; perhaps somebody else has a straight forward |
51 |
method to compare current profiles, within a given architecture? |
52 |
|
53 |
Surely at look at the contents of @system set is a good starting point |
54 |
for a new gentooer to see what he gets no matter which profile he |
55 |
selects? Then there is the 'experimental' profiles that the devs keep |
56 |
moving around; who knows what's up with those mavericks.... |
57 |
|
58 |
|
59 |
Hopefully the AliceF [1] GSoC work will result in some structure to to |
60 |
follow for a minimized and hardened kernel going forward. Even in the |
61 |
gentoo-sources kernel there is much that can be stripped out, reducing |
62 |
bloat at the least and probably reducing attack venues too. During this |
63 |
process, I keep several bootable kernels available so reverting is easy. |
64 |
Perhaps there is a gentoo wiki page that at least outlines the manual |
65 |
processes (a structured approach) as users go down the pathway of |
66 |
stripping out what their workstation does not need in a kernel? |
67 |
|
68 |
Perhaps someone has a slick, home-spun, tool that readily identifies |
69 |
what can be additionally stripped from the current kernel offerings on |
70 |
the pathway to minimized_nirvana ? |
71 |
|
72 |
|
73 |
Then there's NFTables; not sure anything useful is published on |
74 |
NFTables, nor how effective it is for a workstation firewall... [3] |
75 |
|
76 |
Thanks Watler for sharing. Increasing the population of (OpenRC et. al.) |
77 |
minimalists is always welcome as our numbers are growing every day; |
78 |
not that one is bound to OpenRC to be a gentoo_minimalist. |
79 |
|
80 |
|
81 |
|
82 |
hth, |
83 |
James |
84 |
|
85 |
[1] https://blogs.gentoo.org/alicef/ |
86 |
https://archives.gentoo.org/gentoo-soc/threads/2017-06/ |
87 |
|
88 |
[3] https://wiki.gentoo.org/wiki/Nftables |