From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-hardened+bounces-2855-garchives=archives.gentoo.org@lists.gentoo.org>) id 1NcHSi-0000hM-Ux for garchives@archives.gentoo.org; Tue, 02 Feb 2010 12:02:33 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8C140E0AC2 for <garchives@archives.gentoo.org>; Tue, 2 Feb 2010 12:02:32 +0000 (UTC) Received: from virtual.dyc.edu (virtual.dyc.edu [67.222.116.22]) by pigeon.gentoo.org (Postfix) with ESMTP id 0A7C8E095E for <gentoo-hardened@lists.gentoo.org>; Tue, 2 Feb 2010 11:35:02 +0000 (UTC) Received: from [192.168.3.7] (unknown [192.168.3.7]) by virtual.dyc.edu (Postfix) with ESMTP id 9618474C025 for <gentoo-hardened@lists.gentoo.org>; Tue, 2 Feb 2010 06:36:35 -0500 (EST) Message-ID: <4B680DDF.8050109@opensource.dyc.edu> Date: Tue, 02 Feb 2010 06:34:55 -0500 From: basile <basile@opensource.dyc.edu> User-Agent: Thunderbird 2.0.0.23 (X11/20090817) Precedence: bulk List-Post: <mailto:gentoo-hardened@lists.gentoo.org> List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org> X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Remove toolchain? References: <1265027711.7698.13.camel@sldf-alshain-nd2> <20100201143519.GB3688@ctf.subverted.org> In-Reply-To: <20100201143519.GB3688@ctf.subverted.org> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig11B21411D0DDF903845F6E2C" X-Archives-Salt: b5b8b6ef-b1ea-46e4-b8bc-acc8f2c181b9 X-Archives-Hash: b5ee6742e712e7409cacd94644a1b24f This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig11B21411D0DDF903845F6E2C Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable schism@subverted.org wrote: > On Mon, Feb 01, 2010 at 01:35:10PM +0100, Hinnerk van Bruinehsen wrote:= > =20 >> But there is one thing which disturbs me: Since Gentoo (and hardened >> Gentoo) is sourcebased, i'll need a complete toolchain to keep the >> system up to date. >> >> I don't like the idea of giving this tools to someone who might >> compromise the server. >> =20 > > Removing the toolchain is an old, common misconception whose originator= > I would love to meet and slap some sense into. > =20 In fact, this itself is the answer to what to do if you want to remove the toolchain. If you have several similar machines, you could use one to compile and build the .tbz2 packages for updates to deploy to those machines that do not have a toolchain. Having said that, I agree that removing the toolchain is weak defense and you should use rbac. --=20 Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 --------------enig11B21411D0DDF903845F6E2C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAktoDeUACgkQl5yvQNBFVTUlqQCfZ5ljwelRICb4SZ9DCE05j8B8 b0IAnj1JiMEHil4LjUll3GWVjZqzzCPR =HLUP -----END PGP SIGNATURE----- --------------enig11B21411D0DDF903845F6E2C--