From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1G0X1l-0002PD-Ub for garchives@archives.gentoo.org; Wed, 12 Jul 2006 05:12:50 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6C5BKdJ025186; Wed, 12 Jul 2006 05:11:20 GMT Received: from Princeton.EDU (postoffice01.Princeton.EDU [128.112.129.75]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6C53Vcw029383 for ; Wed, 12 Jul 2006 05:03:32 GMT Received: from smtpserver1.Princeton.EDU (smtpserver1.Princeton.EDU [128.112.129.65]) by Princeton.EDU (8.12.9/8.12.9) with ESMTP id k6C53VYZ028114 for ; Wed, 12 Jul 2006 01:03:31 -0400 (EDT) Received: from sep.dynalias.net (fez.Princeton.EDU [128.112.129.190]) (authenticated bits=0) by smtpserver1.Princeton.EDU (8.12.9/8.12.9) with ESMTP id k6C53UIP000503 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Wed, 12 Jul 2006 01:03:30 -0400 (EDT) Received: by sep.dynalias.net (Postfix, from userid 1001) id 054E2710A2; Wed, 12 Jul 2006 01:04:23 -0400 (EDT) Date: Wed, 12 Jul 2006 01:04:23 -0400 From: Willie Wong To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] nvidia-kernel p.masked by hardened profile Message-ID: <20060712050423.GA22078@princeton.edu> Mail-Followup-To: gentoo-user@lists.gentoo.org References: <20060711224827.GA32071@princeton.edu> <7573e9640607111908x36bc0ecev2a9bb52a46925581@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7573e9640607111908x36bc0ecev2a9bb52a46925581@mail.gmail.com> User-Agent: Mutt/1.5.11 X-Archives-Salt: 4a942547-e4bd-4bf1-8880-37fdedca1b18 X-Archives-Hash: 5fb8fc38f38548bfa6efbf22b6be7f99 First, thanks for the pointers. See below On Tue, Jul 11, 2006 at 07:08:52PM -0700, Penguin Lover Richard Fish squawked: > On 7/11/06, Willie Wong wrote: > > 2. Is there more information about what "more harm than good" means? > > I tried googling but the only thing I found was a commit log on > > solar's website with a one-liner about p.masking nvidia-kernel. I > > want to know what kind of problems that nvidia drivers incur so I > > can decided whether to give up 3D acceleration, the hardened > > profile, or ignore solar's advice and unmask the packages. > > Well, see what the hardened handbook has to say about binary drivers and > x.org: > http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml#doc_chap4 Well, that page is rather outdated. I am pretty sure nvidia-glx supports dlloader since several versions back (at least since summer of last year): after all, I've been running it. There were some hiccups early on when I first started using it (several programs I often use, such as ut2004 and mplayer requires chpax/paxctl to turn off MPROTECT and RANDEXEC), but it has been running well on my system. > > I also found this bug: > http://bugs.gentoo.org/show_bug.cgi?id=139047 The attitude expressed in that bug is also the point made on the gentoo-hardened mailing list (I did a search on gmane after sending out my original e-mail). Basically it seems that the devs attitude is that "the driver is binary, we can't fix it if it is broken, so we won't support it." And I am completely fine with that. But I remember one year ago them telling us to use dlloader and to use binary drivers at our own risk, I am wondering if anyone here knows why the sudden change in attitude into "I am telling you not to use nvidia binary drivers", namely, if there is any new found incompatibility of nvidia-drivers with the hardened profile. > There may also be a valid security concern with binary-only kernel > modules: since they cannot be audited for security, one should assume > that they are horribly insecure. Any exploit here could comprimise > the entire system, so one could argue they are totally inappropriate > for a 'hardened' system. Yes, I took on that risk when I started running a hardened desktop with nvidia binary drivers. What I am most interested is what new significant flaws (if any) were found in the binary drivers that makes its use such taboo. Furthermore, I thought one of the things that the hardened team were less happy about is not so much the binary kernel driver, but the libGL.so nvidia provides... basically any program that uses opengl that links against the nvidia-glx would need to have certain PAX flags turned off to run without being killed by the kernel. I am beginning to sense the situation is more along the line of the devs formalizing the policy of not supporting binary drivers and telling users to stop bothering them with bugs they cannot do anything about. If that is indeed the case, I'd simply unmask the offending packages and deal with them myself. > > > 3. Is this (the fact that I am running a hardened profile) the reason > > that if I 'emerge --pretend --update xorg-x11 --verbose', among the > > list of VIDEO_CARDS options displayed, I do not see nvidia? > > That is correct. video_cards_nvidia is in the hardened profile's use.mask. > I looked at man portage, and I am not quite sure about this: Is it possible to unmask the useflag by, for example, writing to /etc/portage/use.mask the line "-video_cards_nvidia"? Or must I modify /etc/make.profile/use.mask? thx W -- Sortir en Pantoufles: up 11:25 -- gentoo-user@gentoo.org mailing list