[gentoo-hardened] Which profile?

[gentoo-hardened] Which profile?

[Clemente Aguiar]

I understand that the profiles where updated recently (last year?).

Available profile symlink targets:
  [1]   hardened/amd64 *
  [2]   hardened/amd64/multilib
  [3]   selinux/2007.0/amd64
  [4]   selinux/2007.0/amd64/hardened
  [5]   default/linux/amd64/2008.0
  [6]   default/linux/amd64/2008.0/desktop
  [7]   default/linux/amd64/2008.0/developer
  [8]   default/linux/amd64/2008.0/no-multilib
  [9]   default/linux/amd64/2008.0/server
  [10]  hardened/linux/amd64

Available profile symlink targets:
  [1]   hardened/x86/2.6 *
  [2]   selinux/2007.0/x86
  [3]   selinux/2007.0/x86/hardened
  [4]   default/linux/x86/2008.0
  [5]   default/linux/x86/2008.0/desktop
  [6]   default/linux/x86/2008.0/developer
  [7]   default/linux/x86/2008.0/server
  [8]   hardened/linux/x86


I would like to know what hardened profile I should use when I build new
machines? (AMD64 as well as x86)

Thanks.

Re: [gentoo-hardened] Which profile?

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 1446 bytes --]

Clemente Aguiar schreef:
> I understand that the profiles where updated recently (last year?).
> 
> Available profile symlink targets:
>   [1]   hardened/amd64 *
>   [2]   hardened/amd64/multilib
>   [3]   selinux/2007.0/amd64
>   [4]   selinux/2007.0/amd64/hardened
>   [5]   default/linux/amd64/2008.0
>   [6]   default/linux/amd64/2008.0/desktop
>   [7]   default/linux/amd64/2008.0/developer
>   [8]   default/linux/amd64/2008.0/no-multilib
>   [9]   default/linux/amd64/2008.0/server
>   [10]  hardened/linux/amd64
> 
> Available profile symlink targets:
>   [1]   hardened/x86/2.6 *
>   [2]   selinux/2007.0/x86
>   [3]   selinux/2007.0/x86/hardened
>   [4]   default/linux/x86/2008.0
>   [5]   default/linux/x86/2008.0/desktop
>   [6]   default/linux/x86/2008.0/developer
>   [7]   default/linux/x86/2008.0/server
>   [8]   hardened/linux/x86
> 
> 
> I would like to know what hardened profile I should use when I build new
> machines? (AMD64 as well as x86)
> 
> Thanks.
> 
> 
> 

A few days ago I switched an x86 machine from "default/linux/x86/2008.0"
to "hardened/linux/x86/2008.0/server" after some arbitrary rummaging in
the profiles directory. This gave me no problems other than the expected
gcc-4 -> gcc-3 downgrade.

I'm not sure why this profile isn't listed in the eselect profile
listing above. It doesn't give me a big fat "unsupported profile"
warning though...

Regards,
	Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 258 bytes --]

Re: [gentoo-hardened] Which profile?

[Matthew Summers]

[-- Attachment #1: Type: text/plain, Size: 1981 bytes --]

On Tue, Feb 10, 2009 at 4:04 AM, Tom Hendrikx <tom@whyscream.net> wrote:

> Clemente Aguiar schreef:
> > I understand that the profiles where updated recently (last year?).
> >
> > Available profile symlink targets:
> >   [1]   hardened/amd64 *
> >   [2]   hardened/amd64/multilib
> >   [3]   selinux/2007.0/amd64
> >   [4]   selinux/2007.0/amd64/hardened
> >   [5]   default/linux/amd64/2008.0
> >   [6]   default/linux/amd64/2008.0/desktop
> >   [7]   default/linux/amd64/2008.0/developer
> >   [8]   default/linux/amd64/2008.0/no-multilib
> >   [9]   default/linux/amd64/2008.0/server
> >   [10]  hardened/linux/amd64
> >
> > Available profile symlink targets:
> >   [1]   hardened/x86/2.6 *
> >   [2]   selinux/2007.0/x86
> >   [3]   selinux/2007.0/x86/hardened
> >   [4]   default/linux/x86/2008.0
> >   [5]   default/linux/x86/2008.0/desktop
> >   [6]   default/linux/x86/2008.0/developer
> >   [7]   default/linux/x86/2008.0/server
> >   [8]   hardened/linux/x86
> >
> >
> > I would like to know what hardened profile I should use when I build new
> > machines? (AMD64 as well as x86)
> >
> > Thanks.
> >
> >
> >
>
> A few days ago I switched an x86 machine from "default/linux/x86/2008.0"
> to "hardened/linux/x86/2008.0/server" after some arbitrary rummaging in
> the profiles directory. This gave me no problems other than the expected
> gcc-4 -> gcc-3 downgrade.
>
> I'm not sure why this profile isn't listed in the eselect profile
> listing above. It doesn't give me a big fat "unsupported profile"
> warning though...
>
> Regards,
>         Tom
>
>

This is a confusing situation.  I am currently using
/usr/portage/profiles/hardened/linux/amd64/2008.0.

This is not explicitly listed in the output of 'eselect profile list'.

Perhaps we could sort this out on the list & then I will write a quick doc
to place in the hardened web space to assist other users.

-- 
M. Summers

"...there are no rules here -- we're trying to accomplish something."
 - Thomas A. Edison

[-- Attachment #2: Type: text/html, Size: 2879 bytes --]

Re: [gentoo-hardened] Which profile?

[Cyprien Nicolas]

2009/2/10 Matthew Summers <msummers42@gmail.com>:
> On Tue, Feb 10, 2009 at 4:04 AM, Tom Hendrikx <tom@whyscream.net> wrote:
>>
>> Clemente Aguiar schreef:
>> > I understand that the profiles where updated recently (last year?).
>> >
>> > Available profile symlink targets:
>> >   [1]   hardened/amd64 *
>> >   [2]   hardened/amd64/multilib
>> >   [3]   selinux/2007.0/amd64
>> >   [4]   selinux/2007.0/amd64/hardened
>> >   [5]   default/linux/amd64/2008.0
>> >   [6]   default/linux/amd64/2008.0/desktop
>> >   [7]   default/linux/amd64/2008.0/developer
>> >   [8]   default/linux/amd64/2008.0/no-multilib
>> >   [9]   default/linux/amd64/2008.0/server
>> >   [10]  hardened/linux/amd64
>> >
>> > Available profile symlink targets:
>> >   [1]   hardened/x86/2.6 *
>> >   [2]   selinux/2007.0/x86
>> >   [3]   selinux/2007.0/x86/hardened
>> >   [4]   default/linux/x86/2008.0
>> >   [5]   default/linux/x86/2008.0/desktop
>> >   [6]   default/linux/x86/2008.0/developer
>> >   [7]   default/linux/x86/2008.0/server
>> >   [8]   hardened/linux/x86
>> >
>> >
>> > I would like to know what hardened profile I should use when I build new
>> > machines? (AMD64 as well as x86)
>> >
>> > Thanks.
>> >
>> >
>> >
>>
>> A few days ago I switched an x86 machine from "default/linux/x86/2008.0"
>> to "hardened/linux/x86/2008.0/server" after some arbitrary rummaging in
>> the profiles directory. This gave me no problems other than the expected
>> gcc-4 -> gcc-3 downgrade.
>>
>> I'm not sure why this profile isn't listed in the eselect profile
>> listing above. It doesn't give me a big fat "unsupported profile"
>> warning though...
>>
>> Regards,
>>        Tom
>>
>
>
> This is a confusing situation.  I am currently using
> /usr/portage/profiles/hardened/linux/amd64/2008.0.
>
> This is not explicitly listed in the output of 'eselect profile list'.
>
> Perhaps we could sort this out on the list & then I will write a quick doc
> to place in the hardened web space to assist other users.
>
> --
> M. Summers
>
> "...there are no rules here -- we're trying to accomplish something."
>  - Thomas A. Edison
>

On #gentooo-hardened, I got this answer :

Feb 04 20:10:51 <Tommy[D]>      Anyone can say, which profile of the 2
hardened ones are supported here?
Feb 04 20:12:01 <gengor>        Tommy[D]: use hardened/${ARCH}/2.6

But it was not listed by Clemente for amd64

--
Cyprien

Re: [gentoo-hardened] Which profile?

[Thomas Sachau]

[-- Attachment #1: Type: text/plain, Size: 2795 bytes --]

Cyprien Nicolas schrieb:
> 2009/2/10 Matthew Summers <msummers42@gmail.com>:
>> On Tue, Feb 10, 2009 at 4:04 AM, Tom Hendrikx <tom@whyscream.net> wrote:
>>> Clemente Aguiar schreef:
>>>> I understand that the profiles where updated recently (last year?).
>>>>
>>>> Available profile symlink targets:
>>>>   [1]   hardened/amd64 *
>>>>   [2]   hardened/amd64/multilib
>>>>   [3]   selinux/2007.0/amd64
>>>>   [4]   selinux/2007.0/amd64/hardened
>>>>   [5]   default/linux/amd64/2008.0
>>>>   [6]   default/linux/amd64/2008.0/desktop
>>>>   [7]   default/linux/amd64/2008.0/developer
>>>>   [8]   default/linux/amd64/2008.0/no-multilib
>>>>   [9]   default/linux/amd64/2008.0/server
>>>>   [10]  hardened/linux/amd64
>>>>
>>>> Available profile symlink targets:
>>>>   [1]   hardened/x86/2.6 *
>>>>   [2]   selinux/2007.0/x86
>>>>   [3]   selinux/2007.0/x86/hardened
>>>>   [4]   default/linux/x86/2008.0
>>>>   [5]   default/linux/x86/2008.0/desktop
>>>>   [6]   default/linux/x86/2008.0/developer
>>>>   [7]   default/linux/x86/2008.0/server
>>>>   [8]   hardened/linux/x86
>>>>
>>>>
>>>> I would like to know what hardened profile I should use when I build new
>>>> machines? (AMD64 as well as x86)
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>> A few days ago I switched an x86 machine from "default/linux/x86/2008.0"
>>> to "hardened/linux/x86/2008.0/server" after some arbitrary rummaging in
>>> the profiles directory. This gave me no problems other than the expected
>>> gcc-4 -> gcc-3 downgrade.
>>>
>>> I'm not sure why this profile isn't listed in the eselect profile
>>> listing above. It doesn't give me a big fat "unsupported profile"
>>> warning though...
>>>
>>> Regards,
>>>        Tom
>>>
>>
>> This is a confusing situation.  I am currently using
>> /usr/portage/profiles/hardened/linux/amd64/2008.0.
>>
>> This is not explicitly listed in the output of 'eselect profile list'.
>>
>> Perhaps we could sort this out on the list & then I will write a quick doc
>> to place in the hardened web space to assist other users.
>>
>> --
>> M. Summers
>>
>> "...there are no rules here -- we're trying to accomplish something."
>>  - Thomas A. Edison
>>
> 
> On #gentooo-hardened, I got this answer :
> 
> Feb 04 20:10:51 <Tommy[D]>      Anyone can say, which profile of the 2
> hardened ones are supported here?
> Feb 04 20:12:01 <gengor>        Tommy[D]: use hardened/${ARCH}/2.6
> 
> But it was not listed by Clemente for amd64
> 
> --
> Cyprien
> 
> 

So he should use either /hardened/amd64 or /hardened/amd64/multilib. If i rememember it right, the
other profile (/hardened/linux/* ) is not under control by the hardened team and because of that not
supported.

-- 
Thomas Sachau

Gentoo Linux Developer


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: [gentoo-hardened] Which profile?

[Ned Ludd]

On Tue, 2009-02-10 at 19:17 +0100, Thomas Sachau wrote:
> Cyprien Nicolas schrieb:
> > 2009/2/10 Matthew Summers <msummers42@gmail.com>:
> >> On Tue, Feb 10, 2009 at 4:04 AM, Tom Hendrikx <tom@whyscream.net> wrote:
> >>> Clemente Aguiar schreef:
> >>>> I understand that the profiles where updated recently (last year?).
> >>>>
> >>>> Available profile symlink targets:
> >>>>   [1]   hardened/amd64 *
> >>>>   [2]   hardened/amd64/multilib
> >>>>   [3]   selinux/2007.0/amd64
> >>>>   [4]   selinux/2007.0/amd64/hardened
> >>>>   [5]   default/linux/amd64/2008.0
> >>>>   [6]   default/linux/amd64/2008.0/desktop
> >>>>   [7]   default/linux/amd64/2008.0/developer
> >>>>   [8]   default/linux/amd64/2008.0/no-multilib
> >>>>   [9]   default/linux/amd64/2008.0/server
> >>>>   [10]  hardened/linux/amd64
> >>>>
> >>>> Available profile symlink targets:
> >>>>   [1]   hardened/x86/2.6 *
> >>>>   [2]   selinux/2007.0/x86
> >>>>   [3]   selinux/2007.0/x86/hardened
> >>>>   [4]   default/linux/x86/2008.0
> >>>>   [5]   default/linux/x86/2008.0/desktop
> >>>>   [6]   default/linux/x86/2008.0/developer
> >>>>   [7]   default/linux/x86/2008.0/server
> >>>>   [8]   hardened/linux/x86
> >>>>
> >>>>
> >>>> I would like to know what hardened profile I should use when I build new
> >>>> machines? (AMD64 as well as x86)
> >>>>
> >>>> Thanks.
> >>>>
> >>>>
> >>>>
> >>> A few days ago I switched an x86 machine from "default/linux/x86/2008.0"
> >>> to "hardened/linux/x86/2008.0/server" after some arbitrary rummaging in
> >>> the profiles directory. This gave me no problems other than the expected
> >>> gcc-4 -> gcc-3 downgrade.
> >>>
> >>> I'm not sure why this profile isn't listed in the eselect profile
> >>> listing above. It doesn't give me a big fat "unsupported profile"
> >>> warning though...
> >>>
> >>> Regards,
> >>>        Tom
> >>>
> >>
> >> This is a confusing situation.  I am currently using
> >> /usr/portage/profiles/hardened/linux/amd64/2008.0.
> >>
> >> This is not explicitly listed in the output of 'eselect profile list'.
> >>
> >> Perhaps we could sort this out on the list & then I will write a quick doc
> >> to place in the hardened web space to assist other users.
> >>
> >> --
> >> M. Summers
> >>
> >> "...there are no rules here -- we're trying to accomplish something."
> >>  - Thomas A. Edison
> >>
> > 
> > On #gentooo-hardened, I got this answer :
> > 
> > Feb 04 20:10:51 <Tommy[D]>      Anyone can say, which profile of the 2
> > hardened ones are supported here?
> > Feb 04 20:12:01 <gengor>        Tommy[D]: use hardened/${ARCH}/2.6
> > 
> > But it was not listed by Clemente for amd64
> > 
> > --
> > Cyprien
> > 
> > 
> 
> So he should use either /hardened/amd64 or /hardened/amd64/multilib. If i rememember it right, the
> other profile (/hardened/linux/* ) is not under control by the hardened team and because of that not
> supported.

Correct.

amd64 #1 or #2 (suggested #2)
x86   #1


-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

Re: [gentoo-hardened] Which profile?

[Clemente Aguiar]

Ter, 2009-02-10 às 10:40 -0800, Ned Ludd escreveu:
> On Tue, 2009-02-10 at 19:17 +0100, Thomas Sachau wrote:
> > Cyprien Nicolas schrieb:
> > > 2009/2/10 Matthew Summers <msummers42@gmail.com>:
> > >> On Tue, Feb 10, 2009 at 4:04 AM, Tom Hendrikx <tom@whyscream.net> wrote:
> > >>> Clemente Aguiar schreef:
> > >>>> I understand that the profiles where updated recently (last year?).
> > >>>>
> > >>>> Available profile symlink targets:
> > >>>>   [1]   hardened/amd64 *
> > >>>>   [2]   hardened/amd64/multilib
> > >>>>   [3]   selinux/2007.0/amd64
> > >>>>   [4]   selinux/2007.0/amd64/hardened
> > >>>>   [5]   default/linux/amd64/2008.0
> > >>>>   [6]   default/linux/amd64/2008.0/desktop
> > >>>>   [7]   default/linux/amd64/2008.0/developer
> > >>>>   [8]   default/linux/amd64/2008.0/no-multilib
> > >>>>   [9]   default/linux/amd64/2008.0/server
> > >>>>   [10]  hardened/linux/amd64
> > >>>>
> > >>>> Available profile symlink targets:
> > >>>>   [1]   hardened/x86/2.6 *
> > >>>>   [2]   selinux/2007.0/x86
> > >>>>   [3]   selinux/2007.0/x86/hardened
> > >>>>   [4]   default/linux/x86/2008.0
> > >>>>   [5]   default/linux/x86/2008.0/desktop
> > >>>>   [6]   default/linux/x86/2008.0/developer
> > >>>>   [7]   default/linux/x86/2008.0/server
> > >>>>   [8]   hardened/linux/x86
> > >>>>
> > >>>>
> > >>>> I would like to know what hardened profile I should use when I build new
> > >>>> machines? (AMD64 as well as x86)
> > >>>>
> > >>>> Thanks.
> > >>>>
> > >>>>
> > >>>>
> > >>> A few days ago I switched an x86 machine from "default/linux/x86/2008.0"
> > >>> to "hardened/linux/x86/2008.0/server" after some arbitrary rummaging in
> > >>> the profiles directory. This gave me no problems other than the expected
> > >>> gcc-4 -> gcc-3 downgrade.
> > >>>
> > >>> I'm not sure why this profile isn't listed in the eselect profile
> > >>> listing above. It doesn't give me a big fat "unsupported profile"
> > >>> warning though...
> > >>>
> > >>> Regards,
> > >>>        Tom
> > >>>
> > >>
> > >> This is a confusing situation.  I am currently using
> > >> /usr/portage/profiles/hardened/linux/amd64/2008.0.
> > >>
> > >> This is not explicitly listed in the output of 'eselect profile list'.
> > >>
> > >> Perhaps we could sort this out on the list & then I will write a quick doc
> > >> to place in the hardened web space to assist other users.
> > >>
> > >> --
> > >> M. Summers
> > >>
> > >> "...there are no rules here -- we're trying to accomplish something."
> > >>  - Thomas A. Edison
> > >>
> > > 
> > > On #gentooo-hardened, I got this answer :
> > > 
> > > Feb 04 20:10:51 <Tommy[D]>      Anyone can say, which profile of the 2
> > > hardened ones are supported here?
> > > Feb 04 20:12:01 <gengor>        Tommy[D]: use hardened/${ARCH}/2.6
> > > 
> > > But it was not listed by Clemente for amd64
> > > 
> > > --
> > > Cyprien
> > > 
> > > 
> > 
> > So he should use either /hardened/amd64 or /hardened/amd64/multilib. If i rememember it right, the
> > other profile (/hardened/linux/* ) is not under control by the hardened team and because of that not
> > supported.
> 
> Correct.
> 
> amd64 #1 or #2 (suggested #2)
> x86   #1
> 

This is what I wanted to know. Thanks.

Re: [gentoo-hardened] Which profile?

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 3842 bytes --]

Clemente Aguiar wrote:
> Ter, 2009-02-10 às 10:40 -0800, Ned Ludd escreveu:
>> On Tue, 2009-02-10 at 19:17 +0100, Thomas Sachau wrote:
>>> Cyprien Nicolas schrieb:
>>>> 2009/2/10 Matthew Summers <msummers42@gmail.com>:
>>>>> On Tue, Feb 10, 2009 at 4:04 AM, Tom Hendrikx <tom@whyscream.net> wrote:
>>>>>> Clemente Aguiar schreef:
>>>>>>> I understand that the profiles where updated recently (last year?)..
>>>>>>>
>>>>>>> Available profile symlink targets:
>>>>>>>   [1]   hardened/amd64 *
>>>>>>>   [2]   hardened/amd64/multilib
>>>>>>>   [3]   selinux/2007.0/amd64
>>>>>>>   [4]   selinux/2007.0/amd64/hardened
>>>>>>>   [5]   default/linux/amd64/2008.0
>>>>>>>   [6]   default/linux/amd64/2008.0/desktop
>>>>>>>   [7]   default/linux/amd64/2008.0/developer
>>>>>>>   [8]   default/linux/amd64/2008.0/no-multilib
>>>>>>>   [9]   default/linux/amd64/2008.0/server
>>>>>>>   [10]  hardened/linux/amd64
>>>>>>>
>>>>>>> Available profile symlink targets:
>>>>>>>   [1]   hardened/x86/2.6 *
>>>>>>>   [2]   selinux/2007.0/x86
>>>>>>>   [3]   selinux/2007.0/x86/hardened
>>>>>>>   [4]   default/linux/x86/2008.0
>>>>>>>   [5]   default/linux/x86/2008.0/desktop
>>>>>>>   [6]   default/linux/x86/2008.0/developer
>>>>>>>   [7]   default/linux/x86/2008.0/server
>>>>>>>   [8]   hardened/linux/x86
>>>>>>>
>>>>>>>
>>>>>>> I would like to know what hardened profile I should use when I build new
>>>>>>> machines? (AMD64 as well as x86)
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> A few days ago I switched an x86 machine from "default/linux/x86/2008.0"
>>>>>> to "hardened/linux/x86/2008.0/server" after some arbitrary rummaging in
>>>>>> the profiles directory. This gave me no problems other than the expected
>>>>>> gcc-4 -> gcc-3 downgrade.
>>>>>>
>>>>>> I'm not sure why this profile isn't listed in the eselect profile
>>>>>> listing above. It doesn't give me a big fat "unsupported profile"
>>>>>> warning though...
>>>>>>
>>>>>> Regards,
>>>>>>        Tom
>>>>>>
>>>>> This is a confusing situation.  I am currently using
>>>>> /usr/portage/profiles/hardened/linux/amd64/2008.0.
>>>>>
>>>>> This is not explicitly listed in the output of 'eselect profile list'.
>>>>>
>>>>> Perhaps we could sort this out on the list & then I will write a quick doc
>>>>> to place in the hardened web space to assist other users.
>>>>>
>>>>> --
>>>>> M. Summers
>>>>>
>>>>> "...there are no rules here -- we're trying to accomplish something."
>>>>>  - Thomas A. Edison
>>>>>
>>>> On #gentooo-hardened, I got this answer :
>>>>
>>>> Feb 04 20:10:51 <Tommy[D]>      Anyone can say, which profile of the 2
>>>> hardened ones are supported here?
>>>> Feb 04 20:12:01 <gengor>        Tommy[D]: use hardened/${ARCH}/2.6
>>>>
>>>> But it was not listed by Clemente for amd64
>>>>
>>>> --
>>>> Cyprien
>>>>
>>>>
>>> So he should use either /hardened/amd64 or /hardened/amd64/multilib. If i rememember it right, the
>>> other profile (/hardened/linux/* ) is not under control by the hardened team and because of that not
>>> supported.
>> Correct.
>>
>> amd64 #1 or #2 (suggested #2)
>> x86   #1
>>
> 
> This is what I wanted to know. Thanks.
> 
> 

Then I'll be the one to ask the annoying questions:)

1) Why are they there (could be related to some over-enthousiast
non-hardened devs)?

2) Why do the profiles in the released hardened stages point to
"../usr/portage/profiles/hardened/linux/x86/2008.0" by default? I
checked this in stage1-x86-hardened-2008.0.tar.bz2 and
stage3-i686-hardened-2008.0.tar.bz2

3) As these profiles seem to reflect the new "preferred layout", I
understand that someone added them. But why aren't settings from
supported hardened profiles ported to this new layout, to remove the
ambiguity?

-- 
Regards,
	Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-hardened] Which profile?

[Gordon Malm]

On Wednesday, February 11, 2009 10:53:46 Tom Hendrikx wrote:
>
> Then I'll be the one to ask the annoying questions:)
>
> 1) Why are they there (could be related to some over-enthousiast
> non-hardened devs)?
>
> 2) Why do the profiles in the released hardened stages point to
> "../usr/portage/profiles/hardened/linux/x86/2008.0" by default? I
> checked this in stage1-x86-hardened-2008.0.tar.bz2 and
> stage3-i686-hardened-2008.0.tar.bz2
>
> 3) As these profiles seem to reflect the new "preferred layout", I
> understand that someone added them. But why aren't settings from
> supported hardened profiles ported to this new layout, to remove the
> ambiguity?

To make a long story short one hand didn't know what the other was doing.  The 
new profiles are the way I'd like to go, but they need some adjustment and 
the old profiles should be used for now.  The situation is what it is today 
because nobody (me) has gotten around to fixing+testing the new profiles and 
dealing with the transition.  Not what you wanted to hear probably, but 
there's much to do in hardened land and not many to do it.

Gordon Malm (gengor)

Re: [gentoo-hardened] Which profile?

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 1528 bytes --]

Gordon Malm wrote:
> On Wednesday, February 11, 2009 10:53:46 Tom Hendrikx wrote:
>> Then I'll be the one to ask the annoying questions:)
>>
>> 1) Why are they there (could be related to some over-enthousiast
>> non-hardened devs)?
>>
>> 2) Why do the profiles in the released hardened stages point to
>> "../usr/portage/profiles/hardened/linux/x86/2008.0" by default? I
>> checked this in stage1-x86-hardened-2008.0.tar.bz2 and
>> stage3-i686-hardened-2008.0.tar.bz2
>>
>> 3) As these profiles seem to reflect the new "preferred layout", I
>> understand that someone added them. But why aren't settings from
>> supported hardened profiles ported to this new layout, to remove the
>> ambiguity?
> 
> To make a long story short one hand didn't know what the other was doing.  The 
> new profiles are the way I'd like to go, but they need some adjustment and 
> the old profiles should be used for now.  The situation is what it is today 
> because nobody (me) has gotten around to fixing+testing the new profiles and 
> dealing with the transition.  Not what you wanted to hear probably, but 
> there's much to do in hardened land and not many to do it.
> 
> Gordon Malm (gengor)
> 

My questions arose from curiosity, so thanks for clearing up. It's too
bad that the situation is like it is, but I understand that there is
more than enough work to be done, and not enough man power.

Just know that testing stuff can be easily 'outsourced', just abuse the
mailing list:)

--
Regards,
	Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 258 bytes --]

Re: [gentoo-hardened] Which profile?

[Matthew Summers]

[-- Attachment #1: Type: text/plain, Size: 2074 bytes --]

On Thu, Feb 12, 2009 at 1:55 AM, Tom Hendrikx <tom@whyscream.net> wrote:

> Gordon Malm wrote:
> > On Wednesday, February 11, 2009 10:53:46 Tom Hendrikx wrote:
> >> Then I'll be the one to ask the annoying questions:)
> >>
> >> 1) Why are they there (could be related to some over-enthousiast
> >> non-hardened devs)?
> >>
> >> 2) Why do the profiles in the released hardened stages point to
> >> "../usr/portage/profiles/hardened/linux/x86/2008.0" by default? I
> >> checked this in stage1-x86-hardened-2008.0.tar.bz2 and
> >> stage3-i686-hardened-2008.0.tar.bz2
> >>
> >> 3) As these profiles seem to reflect the new "preferred layout", I
> >> understand that someone added them. But why aren't settings from
> >> supported hardened profiles ported to this new layout, to remove the
> >> ambiguity?
> >
> > To make a long story short one hand didn't know what the other was doing.
>  The
> > new profiles are the way I'd like to go, but they need some adjustment
> and
> > the old profiles should be used for now.  The situation is what it is
> today
> > because nobody (me) has gotten around to fixing+testing the new profiles
> and
> > dealing with the transition.  Not what you wanted to hear probably, but
> > there's much to do in hardened land and not many to do it.
> >
> > Gordon Malm (gengor)
> >
>
> My questions arose from curiosity, so thanks for clearing up. It's too
> bad that the situation is like it is, but I understand that there is
> more than enough work to be done, and not enough man power.
>
> Just know that testing stuff can be easily 'outsourced', just abuse the
> mailing list:)
>
> --
> Regards,
>         Tom
>
>
Gengor,

I had been running the profile in the stage3 with no issues for about a
month on a couple of servers without any issues.

Would it be possible to place a README in the dir with the new hardened
stages briefly explaining the situation so our users don't make this mistake
again?

Cheers & thanks for all the fish!

-- 
M. Summers

"...there are no rules here -- we're trying to accomplish something."
 - Thomas A. Edison

[-- Attachment #2: Type: text/html, Size: 2796 bytes --]