Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

RFC: Removing -unicode from all hardened profiles

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


blueness at gentoo

Apr 21, 2012, 4:05 AM

Post #1 of 11 (731 views)
Permalink
RFC: Removing -unicode from all hardened profiles

Hi everyone,

I'd like to remove USE="-unicode" from make.defaults at the root level
of all hardened profiles. The request came from jmbsvicetto because he
required it for the hardened stages to build, but to be honest, I don't
know why we have it disabled in hardened and its probably leftover cruft
from days gone by.

Any reason not to, else its gone.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness [at] gentoo
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535


viniciusferrao at cc

Apr 21, 2012, 7:55 AM

Post #2 of 11 (703 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

Anthony,

All my hardened boxes have Unicode enabled by hand. Everything is fine. I can't understand why it is disabled too.

Sent from my iPhone

On 21/04/2012, at 08:05, "Anthony G. Basile" <blueness [at] gentoo> wrote:

> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root level of all hardened profiles. The request came from jmbsvicetto because he required it for the hardened stages to build, but to be honest, I don't know why we have it disabled in hardened and its probably leftover cruft from days gone by.
>
> Any reason not to, else its gone.
>
>
> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail : blueness [at] gentoo
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
> GnuPG ID : D0455535
>
Attachments: smime.p7s (3.66 KB)


klondike at gentoo

Apr 21, 2012, 9:13 AM

Post #3 of 11 (705 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

El 21/04/12 16:55, Vinícius Ferrão escribió:
> Anthony,
>
> All my hardened boxes have Unicode enabled by hand. Everything is fine. I can't understand why it is disabled too.
Same here blueness, for me it can go and nobody will notice :D
Attachments: signature.asc (0.26 KB)


prometheanfire at gentoo

Apr 21, 2012, 9:23 AM

Post #4 of 11 (707 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

On Sat, 21 Apr 2012 18:13:45 +0200
"Francisco Blas Izquierdo Riera (klondike)" <klondike [at] gentoo> wrote:

> El 21/04/12 16:55, Vinícius Ferrão escribió:
> > Anthony,
> >
> > All my hardened boxes have Unicode enabled by hand. Everything is
> > fine. I can't understand why it is disabled too.
> Same here blueness, for me it can go and nobody will notice :D
>

I have had unicode enabled for a long time, both my mail server
understands it (so it can filter spam) and my laptop. Both have had no
issues.

--
Matthew Thode (prometheanfire)
Attachments: signature.asc (0.82 KB)


michael at orlitzky

Apr 21, 2012, 11:25 AM

Post #5 of 11 (705 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

On 04/21/2012 07:05 AM, Anthony G. Basile wrote:
> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root level
> of all hardened profiles. The request came from jmbsvicetto because he
> required it for the hardened stages to build, but to be honest, I don't
> know why we have it disabled in hardened and its probably leftover cruft
> from days gone by.
>
> Any reason not to, else its gone.
>
>

A few of our servers have it enabled (http, mail), but others don't
(vpn, firewall, nagios).

I think the hardened profile should default to having stuff disabled,
unless there's a reason to enable it. Every little bit increases your
surface area.

But I'm sure jmbsvicetto knows what he's doing, so that principle may
not apply here. If it's required, turn it on.


h.v.bruinehsen at fu-berlin

Apr 21, 2012, 12:12 PM

Post #6 of 11 (706 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21.04.2012 13:05, Anthony G. Basile wrote:
> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root
> level of all hardened profiles. The request came from jmbsvicetto
> because he required it for the hardened stages to build, but to be
> honest, I don't know why we have it disabled in hardened and its
> probably leftover cruft from days gone by.
>
> Any reason not to, else its gone.
>
>

Hi,

unicode works fine for me on several hardened systems. I don't think,
that there would be real problems.
But to make it sure: why don't you write a news item (eselect news ...
- -thingy) that announces the switch.
Anyone who needs -unicode for some reason would have the chance to
update hers or his make.conf (maybe even to go with "never change a
working system").

With kind regards,

Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPkwalAAoJEJwwOFaNFkYcolAIALfsFrerdJTl7pt83jN4Mdhf
0S+7yQ9Bl8rPV2z0o6G0MDoCz6pNzNVg1IgD7OSnQGxz7St9qzSROg8HThTaVsh0
fXNvNUTjXG68DUUmy4GRsHM7KdBhVVcAtQFeXbbXzDIVglnAs2cU85dFqSVT6xaR
tk+wRZ484i7q02FZkMFZ4t4VgfYPAWOElGuxpyFgNLGTU1tImTrBk/OpmL9iHFtz
midgFtVcBA3JN9wb/YC4Dk6GSrrfWYuIUIxSsD2oaz5mG2S+Oj1FnHrua/19huyg
x0RhQ6TkZZmYvtt3N1//wsE2RtooIKEyQ5S9wOr95zz5CBt0lW79Nfa5AZzI+cI=
=0wtO
-----END PGP SIGNATURE-----


swift at gentoo

Apr 21, 2012, 12:32 PM

Post #7 of 11 (703 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

On Sat, Apr 21, 2012 at 09:12:37PM +0200, Hinnerk van Bruinehsen wrote:
> unicode works fine for me on several hardened systems. I don't think,
> that there would be real problems.
> But to make it sure: why don't you write a news item (eselect news ...
> - -thingy) that announces the switch.
> Anyone who needs -unicode for some reason would have the chance to
> update hers or his make.conf (maybe even to go with "never change a
> working system").

I don't think it is necessary to use a news item. These are generally for
when things might break. A change in USE flags that add in optional support
generally doesn't break things (of course, there are always exceptions).

Users that run their upgrades with --new-use or --changed-use are already
expecting USE flag changes to occur (otherwise they wouldn't mention these
switches with emerge). If you notice that there are USE flags being enabled
or disabled that you rather don't, just edit /etc/make.conf and live happily
ever after.

Although there is much to say about "minimal installation" for servers, this
is not always something that we, from a distribution point of view, can
enforce. Some features, and I think unicode is one of them, are well capable
of being supported on a default server. Especially with more and more users
and organizations adopting unicode as the default character format rather
than the older ISO-* ones.

Wkr,
Sven Vermeulen


blueness at gentoo

Apr 22, 2012, 4:26 AM

Post #8 of 11 (701 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

On 04/21/2012 07:05 AM, Anthony G. Basile wrote:
> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root level
> of all hardened profiles. The request came from jmbsvicetto because he
> required it for the hardened stages to build, but to be honest, I don't
> know why we have it disabled in hardened and its probably leftover cruft
> from days gone by.
>
> Any reason not to, else its gone.
>
>

Okay, I will remove it in a minute. Answering some points:

1) Not a news item. News items IMHO are for things that require
significant user intervention, eg. when I changed up the entire profile
structure and the user had to eselect profile.

2) I'm only changing the default, so for those who still want unicode
off, you can still do USE=-unicode in you make.conf

3) I agree that hardened should be mostly off by default. Eg. ipv6 is
off by default. But as pressure mounts the switch to on by default may
have to occur as it has now with unicode and will happen some day with ipv6.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness [at] gentoo
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535


ma1l1ists at yahoo

Apr 23, 2012, 11:17 AM

Post #9 of 11 (701 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

On Sun, 22 Apr 2012 07:26:19 -0400
Anthony G. Basile wrote:

> 3) I agree that hardened should be mostly off by default. Eg. ipv6 is
> off by default. But as pressure mounts the switch to on by default may
> have to occur as it has now with unicode and will happen some day with ipv6.

Good stuff.

There was a nasty input sanitisation avoiding bug in PHP that only
affected linux boxes with unicode enabled terminals. Maybe these bug
types have something to do with it.

I'd be in two minds, personally I can't remember using unicode on a
terminal and you could use base64 as a workaround. Many many will use it
though, so the default should be enabled.


lists at wildgooses

Apr 29, 2012, 8:07 AM

Post #10 of 11 (675 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

On 23/04/2012 19:17, Kevin Chadwick wrote:
> On Sun, 22 Apr 2012 07:26:19 -0400
> Anthony G. Basile wrote:
>
>> 3) I agree that hardened should be mostly off by default. Eg. ipv6 is
>> off by default. But as pressure mounts the switch to on by default may
>> have to occur as it has now with unicode and will happen some day with ipv6.
> Good stuff.
>
> There was a nasty input sanitisation avoiding bug in PHP that only
> affected linux boxes with unicode enabled terminals. Maybe these bug
> types have something to do with it.
>
> I'd be in two minds, personally I can't remember using unicode on a
> terminal and you could use base64 as a workaround. Many many will use it
> though, so the default should be enabled.
>

Equally I would be thinking that we can find some bugs due to unicode
being off? Whether they would cause "security" failures is another matter.

It's probably on the tipping point that ipv6/unicode needs decent testing

Ed W


dirtyepic at gentoo

May 7, 2012, 2:48 PM

Post #11 of 11 (645 views)
Permalink
Re: RFC: Removing -unicode from all hardened profiles [In reply to]

On Sat, 21 Apr 2012 07:05:52 -0400
"Anthony G. Basile" <blueness [at] gentoo> wrote:

> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root level
> of all hardened profiles. The request came from jmbsvicetto because he
> required it for the hardened stages to build, but to be honest, I don't
> know why we have it disabled in hardened and its probably leftover cruft
> from days gone by.

See http://article.gmane.org/gmane.linux.gentoo.devel/36385


--
fonts, gcc-porting
toolchain, wxwidgets
@ gentoo.org
Attachments: signature.asc (0.19 KB)

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.