From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LXKDs-0005qG-R7 for garchives@archives.gentoo.org; Wed, 11 Feb 2009 18:54:13 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 00053E0488; Wed, 11 Feb 2009 18:54:10 +0000 (UTC) Received: from mail.tomhendrikx.nl (mail.tomhendrikx.nl [217.149.194.148]) by pigeon.gentoo.org (Postfix) with ESMTP id 74111E0488 for ; Wed, 11 Feb 2009 18:54:10 +0000 (UTC) Received: by mail.tomhendrikx.nl (Postfix, from userid 1001) id 98178206B; Wed, 11 Feb 2009 19:54:09 +0100 (CET) Received: from [10.0.0.20] (76-31.bbned.dsl.internl.net [82.215.31.76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tomhendrikx.nl (Postfix) with ESMTPSA id 51F582069 for ; Wed, 11 Feb 2009 19:54:09 +0100 (CET) Message-ID: <49931EBA.8090307@whyscream.net> Date: Wed, 11 Feb 2009 19:53:46 +0100 From: Tom Hendrikx User-Agent: Thunderbird 2.0.0.19 (X11/20090103) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Which profile? References: <1234258730.28777.12.camel@caguiar-linux.madeiratecnopolo.pt> <49915125.8000703@whyscream.net> <4991C4C2.6040306@gentoo.org> <1234291225.8709.6.camel@hangover> <1234345043.28777.34.camel@caguiar-linux.madeiratecnopolo.pt> In-Reply-To: <1234345043.28777.34.camel@caguiar-linux.madeiratecnopolo.pt> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF296F2665D3D5C89A50090E7" X-Archives-Salt: 2b0f805e-d353-4512-9350-272485c3f271 X-Archives-Hash: c109648836f45c2da38c4e0140685e60 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF296F2665D3D5C89A50090E7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Clemente Aguiar wrote: > Ter, 2009-02-10 =C3=A0s 10:40 -0800, Ned Ludd escreveu: >> On Tue, 2009-02-10 at 19:17 +0100, Thomas Sachau wrote: >>> Cyprien Nicolas schrieb: >>>> 2009/2/10 Matthew Summers : >>>>> On Tue, Feb 10, 2009 at 4:04 AM, Tom Hendrikx w= rote: >>>>>> Clemente Aguiar schreef: >>>>>>> I understand that the profiles where updated recently (last year?= ).. >>>>>>> >>>>>>> Available profile symlink targets: >>>>>>> [1] hardened/amd64 * >>>>>>> [2] hardened/amd64/multilib >>>>>>> [3] selinux/2007.0/amd64 >>>>>>> [4] selinux/2007.0/amd64/hardened >>>>>>> [5] default/linux/amd64/2008.0 >>>>>>> [6] default/linux/amd64/2008.0/desktop >>>>>>> [7] default/linux/amd64/2008.0/developer >>>>>>> [8] default/linux/amd64/2008.0/no-multilib >>>>>>> [9] default/linux/amd64/2008.0/server >>>>>>> [10] hardened/linux/amd64 >>>>>>> >>>>>>> Available profile symlink targets: >>>>>>> [1] hardened/x86/2.6 * >>>>>>> [2] selinux/2007.0/x86 >>>>>>> [3] selinux/2007.0/x86/hardened >>>>>>> [4] default/linux/x86/2008.0 >>>>>>> [5] default/linux/x86/2008.0/desktop >>>>>>> [6] default/linux/x86/2008.0/developer >>>>>>> [7] default/linux/x86/2008.0/server >>>>>>> [8] hardened/linux/x86 >>>>>>> >>>>>>> >>>>>>> I would like to know what hardened profile I should use when I bu= ild new >>>>>>> machines? (AMD64 as well as x86) >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>> A few days ago I switched an x86 machine from "default/linux/x86/2= 008.0" >>>>>> to "hardened/linux/x86/2008.0/server" after some arbitrary rummagi= ng in >>>>>> the profiles directory. This gave me no problems other than the ex= pected >>>>>> gcc-4 -> gcc-3 downgrade. >>>>>> >>>>>> I'm not sure why this profile isn't listed in the eselect profile >>>>>> listing above. It doesn't give me a big fat "unsupported profile" >>>>>> warning though... >>>>>> >>>>>> Regards, >>>>>> Tom >>>>>> >>>>> This is a confusing situation. I am currently using >>>>> /usr/portage/profiles/hardened/linux/amd64/2008.0. >>>>> >>>>> This is not explicitly listed in the output of 'eselect profile lis= t'. >>>>> >>>>> Perhaps we could sort this out on the list & then I will write a qu= ick doc >>>>> to place in the hardened web space to assist other users. >>>>> >>>>> -- >>>>> M. Summers >>>>> >>>>> "...there are no rules here -- we're trying to accomplish something= =2E" >>>>> - Thomas A. Edison >>>>> >>>> On #gentooo-hardened, I got this answer : >>>> >>>> Feb 04 20:10:51 Anyone can say, which profile of the= 2 >>>> hardened ones are supported here? >>>> Feb 04 20:12:01 Tommy[D]: use hardened/${ARCH}/2.6 >>>> >>>> But it was not listed by Clemente for amd64 >>>> >>>> -- >>>> Cyprien >>>> >>>> >>> So he should use either /hardened/amd64 or /hardened/amd64/multilib. = If i rememember it right, the >>> other profile (/hardened/linux/* ) is not under control by the harden= ed team and because of that not >>> supported. >> Correct. >> >> amd64 #1 or #2 (suggested #2) >> x86 #1 >> >=20 > This is what I wanted to know. Thanks. >=20 >=20 Then I'll be the one to ask the annoying questions:) 1) Why are they there (could be related to some over-enthousiast non-hardened devs)? 2) Why do the profiles in the released hardened stages point to "../usr/portage/profiles/hardened/linux/x86/2008.0" by default? I checked this in stage1-x86-hardened-2008.0.tar.bz2 and stage3-i686-hardened-2008.0.tar.bz2 3) As these profiles seem to reflect the new "preferred layout", I understand that someone added them. But why aren't settings from supported hardened profiles ported to this new layout, to remove the ambiguity? --=20 Regards, Tom --------------enigF296F2665D3D5C89A50090E7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmTHr0ACgkQeEmCqmj6IjaNogCdHqlm7aN917bax1NaHybeWKdb Gw4AnRaHyA2CBUqewLB/XnAdaThPcmnk =qCTm -----END PGP SIGNATURE----- --------------enigF296F2665D3D5C89A50090E7--