Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

Towards better profiles for hardened.

  

 
Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


basile at opensource

Jan 13, 2010, 6:07 AM

Post #1 of 3 (495 views)
Permalink
Towards better profiles for hardened.
Hi guys,

I'm emailing because the profile issue came up again in IRC. I'd like
to continue the discussion here. Let me try to get it started.

Here's some general issues with the current profile stucture:

1) It is horribly complex and difficult to read the inheritance
strucutre. Its not clear the inheritance even works. As a result, the
user is not sure what is going on. This ambiguity makes it difficult
to even start a coherent criticism!

2) There doesn't appear to be a good structure for seperation of various
features. In OO language, I can't choose what to inherit. I wind up
getting stuff from other profiles which I don't want and can't control
this, so I'm tempted to just USE="-*" and start from scratch, which is
not a good thing.

3) There is a clear bias towards the desktop. If you go that route, you
get what you need/want. When you deviate, you start to get more things
that you don't want/need and have to struggle against points 1 and 2.

This effects hardened and hardened+server most. Comments?

--

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197
Attachments: signature.asc (0.25 KB)


shinkan at gmail

Jan 14, 2010, 4:16 AM

Post #2 of 3 (472 views)
Permalink
Re: Towards better profiles for hardened. [In reply to]
2010/1/13 basile <basile [at] opensource>

> Hi guys,
>
> I'm emailing because the profile issue came up again in IRC. I'd like
> to continue the discussion here. Let me try to get it started.
>
> Here's some general issues with the current profile stucture:
>
> 1) It is horribly complex and difficult to read the inheritance
> strucutre. Its not clear the inheritance even works. As a result, the
> user is not sure what is going on. This ambiguity makes it difficult
> to even start a coherent criticism!
>
> 2) There doesn't appear to be a good structure for seperation of various
> features. In OO language, I can't choose what to inherit. I wind up
> getting stuff from other profiles which I don't want and can't control
> this, so I'm tempted to just USE="-*" and start from scratch, which is
> not a good thing.
>
> 3) There is a clear bias towards the desktop. If you go that route, you
> get what you need/want. When you deviate, you start to get more things
> that you don't want/need and have to struggle against points 1 and 2.
>
> This effects hardened and hardened+server most. Comments?
>

I don't really get the productive side of this message, but I do agree with
all that points.


--
Pierre.
"Sometimes when I'm talking, my words can't keep up with my thoughts. I
wonder why we think faster than we speak. Probably so we can think twice." -
Bill Watterson


lists at wildgooses

Jan 18, 2010, 8:18 AM

Post #3 of 3 (453 views)
Permalink
Re: Towards better profiles for hardened. [In reply to]
On 14/01/2010 12:16, Shinkan wrote:
>
>
> 2010/1/13 basile <basile [at] opensource
> <mailto:basile [at] opensource>>
>
> Hi guys,
>
> I'm emailing because the profile issue came up again in IRC. I'd like
> to continue the discussion here. Let me try to get it started.
>
> Here's some general issues with the current profile stucture:
>
> 1) It is horribly complex and difficult to read the inheritance
> strucutre. Its not clear the inheritance even works. As a
> result, the
> user is not sure what is going on. This ambiguity makes it difficult
> to even start a coherent criticism!
>
> 2) There doesn't appear to be a good structure for seperation of
> various
> features. In OO language, I can't choose what to inherit. I wind up
> getting stuff from other profiles which I don't want and can't control
> this, so I'm tempted to just USE="-*" and start from scratch, which is
> not a good thing.
>
> 3) There is a clear bias towards the desktop. If you go that
> route, you
> get what you need/want. When you deviate, you start to get more
> things
> that you don't want/need and have to struggle against points 1 and 2.
>
> This effects hardened and hardened+server most. Comments?
>
>
> I don't really get the productive side of this message, but I do agree
> with all that points.
>

I think to some extent this may need to get pushed further up to whoever
manages the main gentoo profiles? The problem seems a bit deeper
routed, but things seem to be either getting worse or better depending
on whether you like the current direction of progress?

A follow on point is that getting some public docs/howtos on building
your own profiles would be really useful. I figured out the major
details and use it here on a bunch of linux-vservers and it's absolutely
fantastic for getting all servers largely the same and baselining the
software install. However, it wasn't that intuitive to start with

Anyway, sounds good - what do we do next?

Ed

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.