[gentoo-user] nvidia-kernel p.masked by hardened profile

[gentoo-user] nvidia-kernel p.masked by hardened profile

[Willie Wong]

A emerge update after a recent sync turns up the following message:

  !!! All ebuilds that could satisfy "nvidia-kernel" have been masked.
  !!! One of the following masked packages is required to complete
  your request:
  - media-video/nvidia-kernel-1.0.7676-r1 (masked by: package.mask)
  # These two package do more harm than good w/ hardened.
  # users must now the opensource xorg nv driver with nvidia cards.
  # By placing Driver "nv" in xorg.conf
  # 2006-06-29 solar

Ditto with the new nvidia-drivers package. 

A few questions:

 1. nv still doesn't do 3D acceleration, right?
 2. Is there more information about what "more harm than good" means?
   I tried googling but the only thing I found was a commit log on
   solar's website with a one-liner about p.masking nvidia-kernel. I
   want to know what kind of problems that nvidia drivers incur so I
   can decided whether to give up 3D acceleration, the hardened
   profile, or ignore solar's advice and unmask the packages. 
 3. Is this (the fact that I am running a hardened profile) the reason
   that if I 'emerge --pretend --update xorg-x11 --verbose', among the
   list of VIDEO_CARDS options displayed, I do not see nvidia?

Thanks, 

W
-- 
A boy mathematician and a girl mathematician face each other from
opposite sides of a room, and at the same time a boy engineer and a
girl engineer face each other from opposite sides of the room. At the
end of each minute, each boy-girl pair is allowed to halve their
distance from each other. The boy and girl mathematicians never meet,
but after a few minutes the engineers get close enough "for all
practical purposes."
Sortir en Pantoufles: up  5:21
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nvidia-kernel p.masked by hardened profile

[Richard Fish]

On 7/11/06, Willie Wong <wwong@princeton.edu> wrote:
>  1. nv still doesn't do 3D acceleration, right?

Yes.

>  2. Is there more information about what "more harm than good" means?
>    I tried googling but the only thing I found was a commit log on
>    solar's website with a one-liner about p.masking nvidia-kernel. I
>    want to know what kind of problems that nvidia drivers incur so I
>    can decided whether to give up 3D acceleration, the hardened
>    profile, or ignore solar's advice and unmask the packages.

Well, see what the hardened handbook has to say about binary drivers and x.org:
http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml#doc_chap4

I also found this bug:
http://bugs.gentoo.org/show_bug.cgi?id=139047

There may also be a valid security concern with binary-only kernel
modules: since they cannot be audited for security, one should assume
that they are horribly insecure.  Any exploit here could comprimise
the entire system, so one could argue they are totally inappropriate
for a 'hardened' system.

>  3. Is this (the fact that I am running a hardened profile) the reason
>    that if I 'emerge --pretend --update xorg-x11 --verbose', among the
>    list of VIDEO_CARDS options displayed, I do not see nvidia?

That is correct.  video_cards_nvidia is in the hardened profile's use.mask.

-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nvidia-kernel p.masked by hardened profile

[Richard Fish]

On 7/11/06, Richard Fish <bigfish@asmallpond.org> wrote:
> On 7/11/06, Willie Wong <wwong@princeton.edu> wrote:
> >  1. nv still doesn't do 3D acceleration, right?
>
> Yes.

*Sigh*.  Yes, I know I replying to myself 15 seconds after posting,
and that is a faux-pas.  Sorry.

But my response here wasn't clear.  Better answers would have been:
"Right",  "Correct", or even "Nope, nv does not support hardware 3D
acceleration".

-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nvidia-kernel p.masked by hardened profile

[Willie Wong]

First, thanks for the pointers. See below

On Tue, Jul 11, 2006 at 07:08:52PM -0700, Penguin Lover Richard Fish squawked:
> On 7/11/06, Willie Wong <wwong@princeton.edu> wrote:
> > 2. Is there more information about what "more harm than good" means?
> >   I tried googling but the only thing I found was a commit log on
> >   solar's website with a one-liner about p.masking nvidia-kernel. I
> >   want to know what kind of problems that nvidia drivers incur so I
> >   can decided whether to give up 3D acceleration, the hardened
> >   profile, or ignore solar's advice and unmask the packages.
> 
> Well, see what the hardened handbook has to say about binary drivers and 
> x.org:
> http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml#doc_chap4

Well, that page is rather outdated. I am pretty sure nvidia-glx
supports dlloader since several versions back (at least since summer
of last year): after all, I've been running it. There were some
hiccups early on when I first started using it (several programs I
often use, such as ut2004 and mplayer requires chpax/paxctl to turn
off MPROTECT and RANDEXEC), but it has been running well on my system. 
> 
> I also found this bug:
> http://bugs.gentoo.org/show_bug.cgi?id=139047

The attitude expressed in that bug is also the point made on the
gentoo-hardened mailing list (I did a search on gmane after sending
out my original e-mail). Basically it seems that the devs attitude is
that "the driver is binary, we can't fix it if it is broken, so we
won't support it." And I am completely fine with that. But I remember
one year ago them telling us to use dlloader and to use binary drivers
at our own risk, I am wondering if anyone here knows why the sudden
change in attitude into "I am telling you not to use nvidia binary
drivers", namely, if there is any new found incompatibility of
nvidia-drivers with the hardened profile. 

> There may also be a valid security concern with binary-only kernel
> modules: since they cannot be audited for security, one should assume
> that they are horribly insecure.  Any exploit here could comprimise
> the entire system, so one could argue they are totally inappropriate
> for a 'hardened' system.

Yes, I took on that risk when I started running a hardened desktop
with nvidia binary drivers. What I am most interested is what new
significant flaws (if any) were found in the binary drivers that makes
its use such taboo. 

Furthermore, I thought one of the things that the hardened team were
less happy about is not so much the binary kernel driver, but the
libGL.so nvidia provides... basically any program that uses opengl
that links against the nvidia-glx would need to have certain PAX flags
turned off to run without being killed by the kernel. 

I am beginning to sense the situation is more along the line of the
devs formalizing the policy of not supporting binary drivers and
telling users to stop bothering them with bugs they cannot do anything
about. If that is indeed the case, I'd simply unmask the offending
packages and deal with them myself. 
> 
> > 3. Is this (the fact that I am running a hardened profile) the reason
> >   that if I 'emerge --pretend --update xorg-x11 --verbose', among the
> >   list of VIDEO_CARDS options displayed, I do not see nvidia?
> 
> That is correct.  video_cards_nvidia is in the hardened profile's use.mask.
> 

I looked at man portage, and I am not quite sure about this:

Is it possible to unmask the useflag by, for example, writing to
/etc/portage/use.mask the line "-video_cards_nvidia"? Or must I modify
/etc/make.profile/use.mask?

thx

W
-- 
Sortir en Pantoufles: up 11:25
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nvidia-kernel p.masked by hardened profile

[Richard Fish]

Skipping a bunch of stuff that I don't know the answers to...

On 7/11/06, Willie Wong <wwong@princeton.edu> wrote:
> I looked at man portage, and I am not quite sure about this:
>
> Is it possible to unmask the useflag by, for example, writing to
> /etc/portage/use.mask the line "-video_cards_nvidia"? Or must I modify
> /etc/make.profile/use.mask?

I believe adding "-video_cards_nvidia" to
/etc/portage/profile/use.mask (notice the directory!) should do it.

But really this doesn't matter...this use flag is only used to add a
dependancy on the nvidia drivers for xorg-x11.  Having the nvidia flag
masked doesn't in any way prevent you from unmasking
x11-drivers/nvidia-drivers, merging them, and using nvidia in
xorg.conf.

-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nvidia-kernel p.masked by hardened profile

[Willie Wong]

On Tue, Jul 11, 2006 at 10:59:40PM -0700, Penguin Lover Richard Fish squawked:
> I believe adding "-video_cards_nvidia" to
> /etc/portage/profile/use.mask (notice the directory!) should do it.
> 
> But really this doesn't matter...this use flag is only used to add a
> dependancy on the nvidia drivers for xorg-x11.  Having the nvidia flag
> masked doesn't in any way prevent you from unmasking
> x11-drivers/nvidia-drivers, merging them, and using nvidia in
> xorg.conf.

I see, just one last question about this: so I am assuming that this
means that the use flag would allow xorg-x11 to pull in nvidia-drivers
as a dependency. All I really need to do then is to emerge
nvidia-drivers separately myself?

W
-- 
"One's never alone with a rubber duck. "
Sortir en Pantoufles: up 20:44
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] nvidia-kernel p.masked by hardened profile

[Richard Fish]

On 7/12/06, Willie Wong <wwong@princeton.edu> wrote:
> I see, just one last question about this: so I am assuming that this
> means that the use flag would allow xorg-x11 to pull in nvidia-drivers
> as a dependency. All I really need to do then is to emerge
> nvidia-drivers separately myself?

Right.

-Richard
-- 
gentoo-user@gentoo.org mailing list