From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 13778138E20 for ; Thu, 20 Feb 2014 16:52:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 51CE7E0BD7; Thu, 20 Feb 2014 16:52:42 +0000 (UTC) Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0950AE0B53 for ; Thu, 20 Feb 2014 16:52:40 +0000 (UTC) Received: by mail-la0-f44.google.com with SMTP id hr13so1540746lab.31 for ; Thu, 20 Feb 2014 08:52:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type; bh=+o08BmGvm6DSqBHJcRSgJVTy/3rxfYy8spmabbxflfo=; b=P3qAPDCHqJ0vQu1vqTZYcX/Q+kPIyrtPuPhonDzZDbyvg4ze5bbajUnNA3o+NHIKeT O2GOuYlfNkY3He5/kEyI67p7kF5Xv1fRFAyMfQu/7GkoqDqn9nDpVaBiip+Kgfd/GV9p D10AycmkIPoQbXKhTQvYKS/6Yj5NuRiUtNRPWjQDcJuNlaq/UsZfCLivW/jldkFxwoWi 14hJtFDHW/tBBfaRmSt9Q27IbeNIEpJ6WnJfvapM4Sh3LqGLd7WJcSanF2GD/nWtEiMN 01fFQHBZKxj+2bU2sogUEoz/Hcwg1DZGbO+s1psWbBxR3iAJq17VVmrTa/j/VcpsQUvF UIAg== X-Received: by 10.152.181.3 with SMTP id ds3mr1727107lac.33.1392915158894; Thu, 20 Feb 2014 08:52:38 -0800 (PST) Received: from localhost ([85.143.114.129]) by mx.google.com with ESMTPSA id o10sm6372861laj.2.2014.02.20.08.52.36 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Feb 2014 08:52:37 -0800 (PST) Date: Thu, 20 Feb 2014 20:52:07 +0400 From: Andrew Savchenko To: gentoo-user@lists.gentoo.org Cc: Nicolas Sebrecht Subject: Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment? Message-Id: <20140220205207.a1f2f6077cfbc037ae9b0bdb@gmail.com> In-Reply-To: <20140220102952.GA6784@sabayon.logifi> References: <5297F0C8.3060403@gmail.com> <5305410B.1090403@gmail.com> <20140220102952.GA6784@sabayon.logifi> X-Mailer: Sylpheed 3.3.0 (GTK+ 2.24.18; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Thu__20_Feb_2014_20_52_07_+0400_F0G0bdqtuS_DwpWS" X-Archives-Salt: 4a264b69-2b37-4456-9c79-cd84a3cf4354 X-Archives-Hash: f548ce412e6c6a2141637c27743f3d35 --Signature=_Thu__20_Feb_2014_20_52_07_+0400_F0G0bdqtuS_DwpWS Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, 20 Feb 2014 11:29:52 +0100 Nicolas Sebrecht wrote: > The 20/02/14, Nilesh Govindrajan wrote: >=20 > > Gentoo makes the best server os because it's a custom built os where= the > > admin knows each and every aspect of the os. Security wise, there ar= e no > > unwanted or unused stuff, so lesser bugs to deal with. >=20 > While I agree with the "less code is less bug" argument, I disagree with > your point. >=20 > Tuning softwares mean that the binaries compiled on a machine are less > used in the wild (other Gentoo systems have other hardware, enabled use > flags, etc). Hence, the binaries executed on you local server are likely > much less tested by others. And this point is one of the highest security benefits in real world: one have non-standard binaries, not available in the wild. Most exploits will fail on such binaries even if vulnerability is still there. This will cut-off most off automatic botnet attacks even without additional security measures like hardened setup, PaX or GRSecurity (yeah, I never trusted SELinux because of its main author: sane agency will never release a security tool which can be a hinder to this agency). Of course, if system is specifically targeted by qualified professionals, this will only hinder their approach, but binary based distributions will not provide any advantage here either. Best regards, Andrew Savchenko --Signature=_Thu__20_Feb_2014_20_52_07_+0400_F0G0bdqtuS_DwpWS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQIcBAEBCgAGBQJTBjLTAAoJEFZZU7lTcnVsOO4P/2Awtu2YtpNg7KJfE0iT1ehv o8P3hzbumOBJjIqNv6RJIWDSIJlC+9XVTqMCdcdITAzSNI6ExpnQtfNN0TCa5CS0 ZGGmtALhwvICjVbDRGYnz1DrfjyGrYjuIUevdQdULPUcQNBYfnRX6mtdH6gg3Pln L8Gydta5v+xorY5Dj9ux8TC3eVihzuzWx/4QOkfvILV7fff6f2xzGmwc9iEB17kQ sU2k6y91pMkOx742YwQ/x0y40a4jDt50uf/vQL+JA4wsW5kvNpsayG7yvXR0Kwlx tNDafRcMDUQVrfKaTS+X5yWXT2IWr2Qj4IOLyVcOkTY7ELuMSuy1k3Ob3MNvog0c X8gBaEvyB8zARiGDAKEbhzbshaWjsddQBSLNcNA4vMpmg/Or+dW+7/yPt33NoHs9 AG8Icgx6XrKLd+eIlDLqcrVl/E1/YR24lTGRN0YfS/BK8gDRIhRDp1BDGKo+X1u5 RwJ8aL1QRD0HPXrjKqeJpP1k4BO9WCCzHNWBMTygtrham4H+9gUCVkPH+1fBfytP Rii4EON1WywJKpqrQKLvqoBDqKFw1t/PdlKEYUwUYkQdZt/lWIpQogKPq0GKGwvt VZsJbuZFA/sJmC/fekGmsjysIaCdNZ1YciZjeY517vGzoLZVbLcv6S7OoZ4W9aRy NzmvCO3JHF1yB6NAk6c1 =2AHR -----END PGP SIGNATURE----- --Signature=_Thu__20_Feb_2014_20_52_07_+0400_F0G0bdqtuS_DwpWS--