* [gentoo-hardened] Re: [gentoo-security] #342619 RESOLVED WONTFIX
[not found] ` <AANLkTi=Diu_ca6Kyd+WA5zmii4eEKttGXGzEUjLggrwe@mail.gmail.com>
@ 2010-10-28 1:14 ` Pavel Labushev
2010-11-03 18:09 ` Ed W
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Labushev @ 2010-10-28 1:14 UTC (permalink / raw
To: gentoo-security, gentoo-hardened
> eruption or something else. Now collection is expanded to patches that
> will not be mainstreamed :> This is GOOD PRACTICE :). Thinking about
Another distros do include patches for glibc not accepted by mainstream.
In this particular case the patch is pretty trivial. And how many users
actually need those LD_* vars to be handled for setuid/setgid binaries?
My bet it's less than 1% of them, and even less than 0.1% of Hardened users.
And what's the problem with including the patch only for glibc[hardened]
and/or glibc[-debug]? I guess that's what at least Hardened users want:
to proactively secure their system, even at the expense of some
debugging facilities (PIE vs <gdb-7.1 as an example).
To reject the patch without any explaination was one man's decision I do
not agree personally, especially after Gentoo security team failed to
fix the recent glibc vulns in a timely manner.
On another point, if some users want this particular patch to be
included, they should speak for themselves. By now I don't see much
interest even among #gentoo-hardened people.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] Re: [gentoo-security] #342619 RESOLVED WONTFIX
2010-10-28 1:14 ` [gentoo-hardened] Re: [gentoo-security] #342619 RESOLVED WONTFIX Pavel Labushev
@ 2010-11-03 18:09 ` Ed W
2010-11-03 18:23 ` "Tóth Attila"
0 siblings, 1 reply; 3+ messages in thread
From: Ed W @ 2010-11-03 18:09 UTC (permalink / raw
To: gentoo-hardened
On 28/10/2010 02:14, Pavel Labushev wrote:
>> eruption or something else. Now collection is expanded to patches that
>> will not be mainstreamed :> This is GOOD PRACTICE :). Thinking about
> Another distros do include patches for glibc not accepted by mainstream.
>
> In this particular case the patch is pretty trivial. And how many users
> actually need those LD_* vars to be handled for setuid/setgid binaries?
> My bet it's less than 1% of them, and even less than 0.1% of Hardened users.
>
> And what's the problem with including the patch only for glibc[hardened]
> and/or glibc[-debug]? I guess that's what at least Hardened users want:
> to proactively secure their system, even at the expense of some
> debugging facilities (PIE vs<gdb-7.1 as an example).
>
> To reject the patch without any explaination was one man's decision I do
> not agree personally, especially after Gentoo security team failed to
> fix the recent glibc vulns in a timely manner.
>
> On another point, if some users want this particular patch to be
> included, they should speak for themselves. By now I don't see much
> interest even among #gentoo-hardened people.
>
I don't understand why upstream are against taking this patch? Can you
expand?
Your argument seems compelling - I just don't understand why there is
any resistance?
Cheers
Ed W
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] Re: [gentoo-security] #342619 RESOLVED WONTFIX
2010-11-03 18:09 ` Ed W
@ 2010-11-03 18:23 ` "Tóth Attila"
0 siblings, 0 replies; 3+ messages in thread
From: "Tóth Attila" @ 2010-11-03 18:23 UTC (permalink / raw
To: gentoo-hardened
It is a good candidate to become a conditional patch for hardened.
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962
2010.November 3.(Sze) 19:09 időpontban Ed W ezt írta:
> On 28/10/2010 02:14, Pavel Labushev wrote:
>>> eruption or something else. Now collection is expanded to patches that
>>> will not be mainstreamed :> This is GOOD PRACTICE :). Thinking about
>> Another distros do include patches for glibc not accepted by mainstream.
>>
>> In this particular case the patch is pretty trivial. And how many users
>> actually need those LD_* vars to be handled for setuid/setgid binaries?
>> My bet it's less than 1% of them, and even less than 0.1% of Hardened
>> users.
>>
>> And what's the problem with including the patch only for glibc[hardened]
>> and/or glibc[-debug]? I guess that's what at least Hardened users want:
>> to proactively secure their system, even at the expense of some
>> debugging facilities (PIE vs<gdb-7.1 as an example).
>>
>> To reject the patch without any explaination was one man's decision I do
>> not agree personally, especially after Gentoo security team failed to
>> fix the recent glibc vulns in a timely manner.
>>
>> On another point, if some users want this particular patch to be
>> included, they should speak for themselves. By now I don't see much
>> interest even among #gentoo-hardened people.
>>
>
> I don't understand why upstream are against taking this patch? Can you
> expand?
>
> Your argument seems compelling - I just don't understand why there is
> any resistance?
>
> Cheers
>
> Ed W
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-11-03 18:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20101026191542.GA14996@localhost>
[not found] ` <AANLkTi=43c00HieRGKxqdqhvhfCEtKufkT=wx=1gMJKg@mail.gmail.com>
[not found] ` <201010272033.56366.volkerarmin@googlemail.com>
[not found] ` <AANLkTi=Diu_ca6Kyd+WA5zmii4eEKttGXGzEUjLggrwe@mail.gmail.com>
2010-10-28 1:14 ` [gentoo-hardened] Re: [gentoo-security] #342619 RESOLVED WONTFIX Pavel Labushev
2010-11-03 18:09 ` Ed W
2010-11-03 18:23 ` "Tóth Attila"
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox