[gentoo-hardened] Hardened profile update

[gentoo-hardened] Hardened profile update

[Tom Hendrikx]

Hi,

As of today, portage notifies me that my current profile (hardened/x86)
is deprecated, and that "hardened/linux/x86/10.0" is the suggested
replacement.

A few months ago, there was some traffic on this list regarding
profiles, resulting in the conclusion that "hardened/x86" was to be
preferred above the default as set (by releng?) in the hardened stages:
"hardened/linux/x86", as the latter was not approved or checked by the
hardened project.

How does the new profile differ from hardened/x86, and is the new
profile tested/approved by the hardened project?

--
Regards,
	Tom

Re: [gentoo-hardened] Hardened profile update

[klondike]

2009/9/15 Tom Hendrikx <tom@whyscream.net>:
> Hi,
>
> As of today, portage notifies me that my current profile (hardened/x86)
> is deprecated, and that "hardened/linux/x86/10.0" is the suggested
> replacement.
>
> A few months ago, there was some traffic on this list regarding
> profiles, resulting in the conclusion that "hardened/x86" was to be
> preferred above the default as set (by releng?) in the hardened stages:
> "hardened/linux/x86", as the latter was not approved or checked by the
> hardened project.
>
> How does the new profile differ from hardened/x86, and is the new
> profile tested/approved by the hardened project?
AFAIK the profile was aproved, but you'd better wait for a developer
to confirm this.

I didn't find many differences, just a few USEs enabled (I remind
python, perl and a few more) and the nls USE disabled. Anyway I
suppose other people can give you a more detailed explanation. Also, a
bug related with ld and the lirc package has been fixed.

Re: [gentoo-hardened] Hardened profile update

[Gordon Malm]

On Tuesday, September 15, 2009 04:46:13 Tom Hendrikx wrote:
> Hi,
>
> As of today, portage notifies me that my current profile (hardened/x86)
> is deprecated, and that "hardened/linux/x86/10.0" is the suggested
> replacement.
>
> A few months ago, there was some traffic on this list regarding
> profiles, resulting in the conclusion that "hardened/x86" was to be
> preferred above the default as set (by releng?) in the hardened stages:
> "hardened/linux/x86", as the latter was not approved or checked by the
> hardened project.
>
> How does the new profile differ from hardened/x86, and is the new
> profile tested/approved by the hardened project?
>
> --
> Regards,
> 	Tom

Hi Tom,

You are correct, the hardened/linux/${arch} profiles were born by releng.  
Hardened project took them over some time ago however and have been 
maintaining both profile sets in parallel.  The time has come to pair that 
down to a single set of profiles again; thus the older hardened/${arch} 
profiles have been deprecated.

The hardened/linux/${arch}/10.0 profiles are tested/approved by the hardened 
team.  Please file a bug if you run into problems.

Gordon Malm (gengor)

Re: [gentoo-hardened] Hardened profile update

[Tom Hendrikx]

Gordon Malm wrote:
> On Tuesday, September 15, 2009 04:46:13 Tom Hendrikx wrote:
>> Hi,
>>
>> As of today, portage notifies me that my current profile (hardened/x86)
>> is deprecated, and that "hardened/linux/x86/10.0" is the suggested
>> replacement.
>>
>> A few months ago, there was some traffic on this list regarding
>> profiles, resulting in the conclusion that "hardened/x86" was to be
>> preferred above the default as set (by releng?) in the hardened stages:
>> "hardened/linux/x86", as the latter was not approved or checked by the
>> hardened project.
>>
>> How does the new profile differ from hardened/x86, and is the new
>> profile tested/approved by the hardened project?
>>
>> --
>> Regards,
>> 	Tom
> 
> Hi Tom,
> 
> You are correct, the hardened/linux/${arch} profiles were born by releng.  
> Hardened project took them over some time ago however and have been 
> maintaining both profile sets in parallel.  The time has come to pair that 
> down to a single set of profiles again; thus the older hardened/${arch} 
> profiles have been deprecated.
> 
> The hardened/linux/${arch}/10.0 profiles are tested/approved by the hardened 
> team.  Please file a bug if you run into problems.
> 
> Gordon Malm (gengor)
> 

Great, and thanks for the info, and the effort. Testing will commence today.

--
Regards,
	Tom

Re: [gentoo-hardened] Hardened profile update

[Ed W]

[-- Attachment #1: Type: text/plain, Size: 1396 bytes --]

Gordon Malm wrote:
> On Tuesday, September 15, 2009 04:46:13 Tom Hendrikx wrote:
>   
>> Hi,
>>
>> As of today, portage notifies me that my current profile (hardened/x86)
>> is deprecated, and that "hardened/linux/x86/10.0" is the suggested
>> replacement.
>>
>> A few months ago, there was some traffic on this list regarding
>> profiles, resulting in the conclusion that "hardened/x86" was to be
>> preferred above the default as set (by releng?) in the hardened stages:
>> "hardened/linux/x86", as the latter was not approved or checked by the
>> hardened project.
>>
>> How does the new profile differ from hardened/x86, and is the new
>> profile tested/approved by the hardened project?
>>
>> --
>> Regards,
>> 	Tom
>>     
>
> Hi Tom,
>
> You are correct, the hardened/linux/${arch} profiles were born by releng.  
> Hardened project took them over some time ago however and have been 
> maintaining both profile sets in parallel.  The time has come to pair that 
> down to a single set of profiles again; thus the older hardened/${arch} 
> profiles have been deprecated.
>
> The hardened/linux/${arch}/10.0 profiles are tested/approved by the hardened 
> team.  Please file a bug if you run into problems.
>
>   

Can someone please explain why the default has switched to USE="-nls"?  
What implications does this hold for people upgrading? (Should I remove 
gettext at the end?)

Thanks

[-- Attachment #2: Type: text/html, Size: 1754 bytes --]

Re: [gentoo-hardened] Hardened profile update

[William (B.J.) Snow Orvis]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ed,

On Mon, Sep 28, 2009 at 10:16:06PM +0100, Ed W wrote:
> 
> Can someone please explain why the default has switched to
> USE="-nls"?  What implications does this hold for people upgrading?
> (Should I remove gettext at the end?)

I don't know why it was dropped (other than probably removing a
dependency that is often not used or needed on a locked down server),
but dropping the native language support USE flag would cause upgraded
and newly installed packages to no longer provide support for multiple
languages (I don't know enough about gettext to know if packages that do
not enable it only provide the original language used in the the source
or not, and I've always removed the nls flag myself).

If you want to remove all support for it from your system now (as well
as for any other changed USE flags), do something like `emerge -av
- --newuse --update --deep world` followed by `emerge -pv --depclean` to
see which non-world, non-system packages would be cleaned (and removing
the -p if the list is acceptable).

If you want to remove just gettext, you could use `equery d gettext` to
see what depends on it and revdep-rebuild to rebuild just those packages
that link to its library.

If you aren't worried about having NLS support still enabled in some
installed packages and gettext installed, just let upgrades slowly drop
the nls flag.

- -- 
......................................................................
William (B.J.) Snow Orvis     PGP Fingerprint:
aetherknight@gmail.com        E6DC E687 EBB7 E99C 1BCE
http://www.aedifice.org       D04F 057B 0CD0 8A49 3E98

Random link:
Dominic Deegan - Oracle For Hire: http://www.dominic-deegan.com/
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkrCT3IACgkQBXsM0IpJPpiZ7ACbBWwTA5fuVVUBkzw0qdVItVhc
/8oAniWLPWKP9Bqg5ck8m16uAAgvTN48
=x2Ev
-----END PGP SIGNATURE-----

Re: [gentoo-hardened] Hardened profile update

[Gordon Malm]

On Monday, September 28, 2009 14:16:06 Ed W wrote:
> Gordon Malm wrote:
> > On Tuesday, September 15, 2009 04:46:13 Tom Hendrikx wrote:
> >> Hi,
> >>
> >> As of today, portage notifies me that my current profile (hardened/x86)
> >> is deprecated, and that "hardened/linux/x86/10.0" is the suggested
> >> replacement.
> >>
> >> A few months ago, there was some traffic on this list regarding
> >> profiles, resulting in the conclusion that "hardened/x86" was to be
> >> preferred above the default as set (by releng?) in the hardened stages:
> >> "hardened/linux/x86", as the latter was not approved or checked by the
> >> hardened project.
> >>
> >> How does the new profile differ from hardened/x86, and is the new
> >> profile tested/approved by the hardened project?
> >>
> >> --
> >> Regards,
> >> 	Tom
> >
> > Hi Tom,
> >
> > You are correct, the hardened/linux/${arch} profiles were born by releng.
> > Hardened project took them over some time ago however and have been
> > maintaining both profile sets in parallel.  The time has come to pair
> > that down to a single set of profiles again; thus the older
> > hardened/${arch} profiles have been deprecated.
> >
> > The hardened/linux/${arch}/10.0 profiles are tested/approved by the
> > hardened team.  Please file a bug if you run into problems.
>
> Can someone please explain why the default has switched to USE="-nls"?
> What implications does this hold for people upgrading? (Should I remove
> gettext at the end?)
>
> Thanks

Hi Ed,

It is my estimation that flag was disabled by mistake on the 
hardened/linux/${arch} profiles.  I have re-enabled it.  Should be fixed on 
your next sync.

Re: [gentoo-hardened] Hardened profile update

[Ed W]

Gordon Malm wrote:
> It is my estimation that flag was disabled by mistake on the 
> hardened/linux/${arch} profiles.  I have re-enabled it.  Should be fixed on 
> your next sync

Yearggg... oh bother...

It's been like that for a whilst so I took it as a hint and just updated 
8 servers this way...

I *think* I actually have very little need for nls?  I believe that 
given it's "a server" and given only admins who all speak the same 
language will access it, then the only times I need nls are for specific 
client applications which need translation?  So as near as I can tell I 
only need it for certain web applications (PHP, squirrelmail, etc) - can 
someone confirm or deny that this is a correct understanding of how nls 
actually works out?

The main reason I care is that I have a lot of linux-vservers and it's 
obviously helpful to sync USE flags across as many machines as practical 
in order to make use of binary packages.

Anyone care to comment on why else I might care to standardise on nls 
enabled or disabled for a mail/web server type installation?

It's been very deliberately marked as removed, so I wondered if there 
was a history of bugs in gettext which argued for it not to be on by 
default?

Cheers

Ed W

Re: [gentoo-hardened] Hardened profile update

[Claes Gyllenswärd]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

2009/9/30 Ed W <lists@wildgooses.com>

> Gordon Malm wrote:
>
>> It is my estimation that flag was disabled by mistake on the
>> hardened/linux/${arch} profiles.  I have re-enabled it.  Should be fixed on
>> your next sync
>>
>
> Yearggg... oh bother...
>
> It's been like that for a whilst so I took it as a hint and just updated 8
> servers this way...
>
> I *think* I actually have very little need for nls?  I believe that given
> it's "a server" and given only admins who all speak the same language will
> access it, then the only times I need nls are for specific client
> applications which need translation?  So as near as I can tell I only need
> it for certain web applications (PHP, squirrelmail, etc) - can someone
> confirm or deny that this is a correct understanding of how nls actually
> works out?
>
> The main reason I care is that I have a lot of linux-vservers and it's
> obviously helpful to sync USE flags across as many machines as practical in
> order to make use of binary packages.
>
> Anyone care to comment on why else I might care to standardise on nls
> enabled or disabled for a mail/web server type installation?
>
> It's been very deliberately marked as removed, so I wondered if there was a
> history of bugs in gettext which argued for it not to be on by default?
>
> Cheers
>
> Ed W
>
> I have absolutely zero technical information to give you, but basically
under the same assumption as you just presented, I have run my server with
-nls for a long time. Even my home desktop has -nls. This may be really
stupid for all I know, but I never noticed a problem. I'm Swedish, so I'm
not natively english-speaking, but I do run everything in english language
environments.

[-- Attachment #2: Type: text/html, Size: 2240 bytes --]

Re: [gentoo-hardened] Hardened profile update

[Ed W]

Gordon Malm wrote:
> It is my estimation that flag was disabled by mistake on the 
> hardened/linux/${arch} profiles.  I have re-enabled it.  Should be fixed on 
> your next sync.
>
>   


Quick question and slightly OT

How do others setup their own "profile"?

I'm thinking that I try to sync a base /etc/make.conf across quite a few 
machines and whilst each machine slightly customises this, it would be 
really nice to have a master set of USE defaults and package.use / 
package.keywords options

I presume one needs to simply setup the profile somewhere outside of the 
/portage directory and then reference it?  Any thing else needed other 
than a "parent" file pointing back at the real base profile?

Any other tips from others who do something like this?

Cheers

Ed W

Re: [gentoo-hardened] Hardened profile update

[Kerin Millar]

2009/9/30 Ed W <lists@wildgooses.com>:
> Gordon Malm wrote:
>>
>> It is my estimation that flag was disabled by mistake on the
>> hardened/linux/${arch} profiles.  I have re-enabled it.  Should be fixed on
>> your next sync.
>>
>>
>
>
> Quick question and slightly OT
>
> How do others setup their own "profile"?
>
> I'm thinking that I try to sync a base /etc/make.conf across quite a few
> machines and whilst each machine slightly customises this, it would be
> really nice to have a master set of USE defaults and package.use /
> package.keywords options
>
> I presume one needs to simply setup the profile somewhere outside of the
> /portage directory and then reference it?  Any thing else needed other than
> a "parent" file pointing back at the real base profile?
>
> Any other tips from others who do something like this?

Personally, I believe that gentoo has suffered from global USE flag
bloat for a long time. It is unfortunate that aligning the hardened
profile with the (nowadays complex) de-facto profile stack brings that
problem over into the hardened camp as a side effect. If I had a penny
for every obscure bug, block and obtuse manifestation of breakage for
which I have assisted users with that can be attributed to the system
complexity and fragility that results, I would probably be happily in
retirement by now. What's more, packages still make sadly limited and,
at times, questionable use of the pkginternal feature (IUSE="+gtk" in
net-analyzer/wireshark being an example that I find particularly
grating).

Essentially, I see it as an unholy mess and have long since given up
hope that there will ever be anything resembling a coherent and
carefully considered policy. So, being confident as to my preferences
and wishing to keep this policy area under my direct control, I have
long since eschewed the profile-sourced defaults. Here's an example of
how I go about it from one of my servers:

USE_ORDER="env:pkg:conf:pkginternal"
USE_CORE="cracklib hardened nptl pam pic readline ncurses unicode urandom zlib"
USE="${USE_CORE} mmx mmxext sse sse2 sse3 sse4.1 pcre"

The trick here is to drop "profile" from USE_ORDER (it is there by
default). The 'core' flags there are essentially a slightly reduced
version of those defined in the now deprecated profile. Frankly, even
these constitute too many global flags for my taste, but there are
some there which - after much deliberation - I determined should
remain. This has rather more to do with the manner in which certain
ebuilds work and the assumptions made on the part of their developers
rather than what I deem as being 'safe'.

Aside from that, I employ package.use extensively and often use
comments to make it perfectly clear as to why a given flag has been
switched on or off.

Regarding "nls", as someone who requires only English language
support, I find it to be almost useless. I say almost because, while
it is not necessarily required, I would say that it is a reasonable
default for php (some php applications require it). Why php still
fails to make use of pkginternal is something I continue to find
baffling.

Cheers,

--Kerin

Re: [gentoo-hardened] Hardened profile update

[Christian Affolter]

Hi

> Quick question and slightly OT
> 
> How do others setup their own "profile"?
> 
> I'm thinking that I try to sync a base /etc/make.conf across quite a few
> machines and whilst each machine slightly customises this, it would be
> really nice to have a master set of USE defaults and package.use /
> package.keywords options
> 
> I presume one needs to simply setup the profile somewhere outside of the
> /portage directory and then reference it?  Any thing else needed other
> than a "parent" file pointing back at the real base profile?

Yes, you only need an independent profile directory (ex.
/usr/local/portage/profiles/your-profile) and a parent file if you want
to "inherit" other profiles. I usually reference the current profile and
remove or add packages from the default packages file. This is
especially handy if you're doing binary-only installations where
build-time dependency aren't required.

Furthermore you can enforce package versions, for example
>=sys-apps/baselayout-2.0.0 to get the new baselayout/openrc by default.


> Any other tips from others who do something like this?

I use nested profiles for different types of servers, like real and
virtual ones.
For example I have
/usr/local/portage/profiles/my-profile
/usr/local/portage/profiles/my-profile/vserver
/usr/local/portage/profiles/my-profile/carrier

The first one acts as a base profile for both, virtual servers and
carrier systems. In a virtual server I don't need any hardware or kernel
related packages, whereas the carrier requires some utile for managing
the virtual servers etc.

Regards
Chris