Gentoo

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MAustin Godber at <-
MAustin Godber at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Derek Neighbors
Date:  
Subject: Gentoo
Austin Godber said:
> This really exacerbates one of the largest problems with linux at the
> moment. There are SO many possibilities it makes it impossible for
> someone trying to
> provide support for a product or application. A Linux box can be
> extraordinarily unique ... the combinations of kernels, kernel patches,
> library versions, compiler versions must make a gigantic mess of
> things.

This one thing I like about Debian. It is fairly cohesive as a system.
That is all the packages come from the same place and adhere to the same
standard. (You can get packages elsewhere but Debian makes it so easy to
include them in their repositories it doesn't make much sense to not add
them) Where as getting something included in SuSE or Red Hat is much more
difficult so many packages are not as stringent... However, thats another
toipic.

> I don't really understand this last point however? How is compiling
> apache or ssh with the propolice stack protection that is now standard
> with gcc circumventing peer review? What peer review? I am using the
> apache source, unmodified. Perhaps you mean peer review of that single
> binary that 20,000 people are using. Well, then, you should start
> compiling your binary with -fstack-protector.

Yes that is what I mean. You are correct what should be happening is you
should be encouraging the distributors of the binaries to compile with
these new features. :)

> I also do not understand what other "mess of security problems"
> compiling a package myself introduces.

Well you could choose flags that cause issues. For example on the Alpha
Processor line it is common to issue a flag that changes the way floating
points work. This is often done because if you don't the application
won't compile. So you are forced to either fix the application's source
code so it will compile or to throw this flag so you can get a binary.
However, in doing so you have made the application more suspectible to
buffer overflows, etc.

Another example would be that enabling feature X at compile time in a
program might be "handy" but extremely insecure. The package maintainers
know this so don't compile with that option, but you as an individual may
not know that so you compile with that option for convience, never knowing
that you are opening a large security in the process.

Note compiling your own stuff doesn't mean you are insecure or asking for
disaster. You could argue the other side of the coin and say the danger
in dealing with binaries is you can never trust what the packager really
put in that binary. (and you would be correct) I still think that
compiling a production system seems errant from a risk analysis
perspective. Maybe, I'm getting too conservative in my old age. ;)

-Derek



This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-GentooLinux users at DeVry->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)