Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Alan McKinnon <alan.mckinnon@gmail.com>]

On 20/02/2014 22:41, Nicolas Sebrecht wrote:
> On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote:
> 
>> And this point is one of the highest security benefits in real world:
>> one have non-standard binaries, not available in the wild. Most
>> exploits will fail on such binaries even if vulnerability is still
>> there. 
> 
> While excluding few security issues by compiling less code is possible,
> believing that "non-standard binaries" (in the sense of "compiled for
> with local compilation flags") gives more security is a dangerous dream.
> 


+1

"non-standard binaries" is really just a special form of security by
obscurity. Or alternatively a special form of "no-one will eva figure
out my l33t skillz! Mwahahaha!"

Which is a very poor stance to take.

The total amount of code not compiled by setting some USE flags off is
on the whole not likely to be very much, and hoping with finger crossed
that the next weakness in a package will just happen to fall within a
code path that got left out by USE flags is a fools dream.

I'm glad you mentioned this Andrew, because the internets are full of
stupid advice like this "non-standard binary" nonsense. Yes, the
arguments at face value are difficult to refute with hard facts, but
those that do not known it is stupid are easily led into a sense of
false security, doesn't matter how many disclaimers are tagged on the end.

I reckon it's the duty of all knowledgeable sysadmins to stamp out this
crap HARD every time it raises it's head. To the user who brought it up
- this might seem overly harsh but I've yet to find a better method that
actually works and gets through to people.



-- 
Alan McKinnon
alan.mckinnon@gmail.com