From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 28381 invoked from network); 25 Sep 2004 21:43:09 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 25 Sep 2004 21:43:09 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CBKJx-00067d-3g for arch-gentoo-dev@lists.gentoo.org; Sat, 25 Sep 2004 21:43:09 +0000 Received: (qmail 13609 invoked by uid 89); 25 Sep 2004 21:43:08 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 26247 invoked from network); 25 Sep 2004 21:43:08 +0000 From: Bart Lauwers To: gentoo-dev@lists.gentoo.org Date: Sat, 25 Sep 2004 23:42:19 +0200 User-Agent: KMail/1.6.2 References: <4151A04F.5090304@comcast.net> <200409251926.32676.blauwers@gentoo.org> <20040925183539.0d549b0b@snowdrop.home> In-Reply-To: <20040925183539.0d549b0b@snowdrop.home> MIME-Version: 1.0 Content-Disposition: inline Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <200409252342.57985.blauwers@gentoo.org> X-Virus-Scanned: by amavisd-new at homenet Subject: Re: [gentoo-dev] Stack smash protected daemons X-Archives-Salt: 99d5c25f-1f1b-4ec1-b795-dfbb0a7db892 X-Archives-Hash: 71e0768023630c3667250b594d947b92 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 25 September 2004 19:35, Ciaran McCreesh wrote: > On Sat, 25 Sep 2004 19:26:26 +0200 Bart Lauwers > > wrote: > | 1) Safety is important, it should be our aim to have our > | default system as secure as it possibly could be. > > Uh, no. A *reasonable* level of security is good. "As secure as it > possibly could be" means turning on grsec, selinux etc in maximum > security mode, which makes a box unusable unless you spend a lot of > time screwing around with things. Nothing wrong with that under certain > circumstances, of course, but it should *not* be a default. As in how do you reason it would? You mean some things are not practically= =20 feasable? Well I agree on that (did you read as far down as the=20 proposal?).... these things you name do not work with everything obviously= =20 and so these things just aren't possible yet for out of the box deployment, > | 3) A good housefather does not leave the front door of any home open > | at night. > > There is a difference between leaving the front door open and installing > fifty seven locks on the door. Yes, but this isn't 57 locks tho...=20 > | Anyone who thinks that a speed tradeoff is too much for better > | protection is crazy. Do us all a favor and play a go night of russian > | roulette by yourself to get your thrills. > > You could equally say that anyone who is prepared to take a nasty > performance hit for possible slight damage mitigation is paranoid. There > is a huge difference between "not using ssp" and "playing russian > roulette". > > I kinda wonder about the security FUD certain people are spreading... Yes I expected as much based on what I had read and I wonder about the=20 ignorance and pretention of some people. You don't want security fine, turn= =20 it off. In the meanwhile make it easier for the consumers of our distro. It= 's=20 time someone speaks out for the user! Frankly, I am tired of all these one= =20 offs and lets implement xyz useless feature discussions. This will help=20 people, it will help businesses and as a consequence it will most definitly= =20 help Gentoo. Heck, it helps everyone except maybe you. On the matter of the russian roulette, it is no different, computers witho= ut=20 a security policy are a disaster waiting to happen and the risk could cost= =20 someone their life (not in all uses of a computer granted). Both are loosin= g=20 propositions. You cannot proof read all the code you put into a distro so= =20 you need better ways to attain an acceptable level of protection.=20 If nothing more then this measure would give the us the time to think of=20 better solutions instead of chasing after moving targets. Bart. =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBVeY7BmJog5qpEKkRAl2SAJ93vZ52wbC7MHfpIvH4/9rc+b/D3QCeOxoZ mPouCFUVz83XN+T756a86lQ=3D =3DMsmO =2D----END PGP SIGNATURE----- -- gentoo-dev@gentoo.org mailing list