From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <damon@3jane.net>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,
	MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no
	version=4.0.0
Received: from chiba (localhost [127.0.0.1])
	by chiba.3jane.net (Postfix) with ESMTP id CD6BD255AF
	for <gentoo-dev@gentoo.org>; Tue,  8 Jan 2002 09:54:38 -0600 (CST)
To: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] Secure Gentoo - What do you think? 
In-reply-to: <20020108142742.38c480cb.styx@SuxOS.org> 
References: <20020107171359.45792cdb.styx@SuxOS.org> <1010487111.773.2.camel@fluffy> <20020108142742.38c480cb.styx@SuxOS.org>
Comments: In-reply-to Joachim Blaabjerg <styx@SuxOS.org>
   message dated "Tue, 08 Jan 2002 14:27:42 +0100."
Date: Tue, 08 Jan 2002 09:54:38 -0600
From: "Damon M. Conway" <damon@3jane.net>
Message-Id: <20020108155438.CD6BD255AF@chiba.3jane.net>
Sender: gentoo-dev-admin@gentoo.org
Errors-To: gentoo-dev-admin@gentoo.org
X-BeenThere: gentoo-dev@gentoo.org
X-Mailman-Version: 2.0.6
Precedence: bulk
Reply-To: gentoo-dev@gentoo.org
List-Help: <mailto:gentoo-dev-request@gentoo.org?subject=help>
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Subscribe: <http://lists.gentoo.org/mailman/listinfo/gentoo-dev>,
	<mailto:gentoo-dev-request@gentoo.org?subject=subscribe>
List-Id: Developer discussion list <gentoo-dev.gentoo.org>
List-Unsubscribe: <http://lists.gentoo.org/mailman/listinfo/gentoo-dev>,
	<mailto:gentoo-dev-request@gentoo.org?subject=unsubscribe>
List-Archive: <http://lists.gentoo.org/pipermail/gentoo-dev/>
X-Archives-Salt: a9deca07-bc81-4895-a80d-d3919bff1369
X-Archives-Hash: bbed5e7ef553050527e30d98496ba29c

 Joachim Blaabjerg wrote:
>Mikael Hallendal <hallski@gentoo.org> wrote:
>
>I was planning to use Gentoo as a base, kind of, and make "secure" Portage
>packages (with safe defaults etc., plus a few packages that aren't made for
>Gentoo yes (AFAIK), like LIDS and libsafe, plus the patched kernel).

Very cool.

>> An interesting thought here would be to have some variable set in
>> make.conf that if set only lets you install packages from a list of
>> trusted apps/version. This would be a very flexible solution. Since it
>> lets you have the exact same operating system on your workstation/server
>> while having a really secure setup on your server.
>
>Hmm... Sounds interesting!

Yes, I think you'll find that Gentoo (like BSD) has very good control over
the system from a very few centralized files.  There should be very little
reason to make your changes at the lowest level.  If there is, then
something in portage itself probably needs attention so that kind of work
can be avoided.  It's undesirable because of the maintenance cost.

>My only "problem" right now is to figure out where to start... ;) I guess I'll
>have to, more or less, modify each and every one of the .ebuild files.

I think this is where eclasses could really help.  Eclasses should allow
you to create a meta ebuild that looks for certain make.conf vars set and
react accordingly.  danarmak and drobbins are the ones to ask for more
details on eclasses.

>> Otherwise the only thing I have to say, welcome to the Gentoo community!

Ditto!

kabau

--
"UNIX was not designed to stop you from doing stupid things, because that
 would also stop you from doing clever things."  --Doug Gwyn