[sabayon-dev] Next Round of Hardened
We need to decide on our next step for rolling out hardened Sabayon. My proposal would be (1) Add all the @system packages to the white list and rebuild them. (2) Add Xorg to the white list during a time period we'll be able to react to any issues. If no issues, (3) From here, go from white-listing to black-listing. As far as it goes, I've done several systems on Hardened now, and I've never had any run-time package problems resulting from just letting everything go hardened as they're rebuilt. I've had a very few build problems, but it has been a while since I've ran into any of those. But I think it would be best to flip the white-list/black-list switch with some lead time before the next freeze.
Re: [sabayon-dev] Next Round of Hardened
Fine with me. On Fri, Nov 9, 2012 at 5:09 PM, Mitch Harder mitch.har...@sabayonlinux.org wrote: We need to decide on our next step for rolling out hardened Sabayon. My proposal would be (1) Add all the @system packages to the white list and rebuild them. (2) Add Xorg to the white list during a time period we'll be able to react to any issues. If no issues, (3) From here, go from white-listing to black-listing. As far as it goes, I've done several systems on Hardened now, and I've never had any run-time package problems resulting from just letting everything go hardened as they're rebuilt. I've had a very few build problems, but it has been a while since I've ran into any of those. But I think it would be best to flip the white-list/black-list switch with some lead time before the next freeze.
Re: [sabayon-dev] Next Round of Hardened
You sure there won't be any optimization of the code breakage and no performance cost? I'm kinda scared of hardening almost all packages of the system On Fri, Nov 9, 2012 at 9:03 PM, Joost Ruis joost.r...@sabayonlinux.orgwrote: Fine with me. On Fri, Nov 9, 2012 at 5:09 PM, Mitch Harder mitch.har...@sabayonlinux.org wrote: We need to decide on our next step for rolling out hardened Sabayon. My proposal would be (1) Add all the @system packages to the white list and rebuild them. (2) Add Xorg to the white list during a time period we'll be able to react to any issues. If no issues, (3) From here, go from white-listing to black-listing. As far as it goes, I've done several systems on Hardened now, and I've never had any run-time package problems resulting from just letting everything go hardened as they're rebuilt. I've had a very few build problems, but it has been a while since I've ran into any of those. But I think it would be best to flip the white-list/black-list switch with some lead time before the next freeze. -- Lead-Developer at Project Rogentos (Romanian Gentoo Operating System) GNU/Linux. Based on Sabayon and Gentoo Linux, Rogentos tends to offer support mainly for all Romanian Linux users and entrepreneurs which seek to learn an open and free system based on true values :) http://rogentos.ro www.facebook.com/RogentosLinux https://plus.google.com/106559511636021124919/ Google+
Re: [sabayon-dev] Next Round of Hardened
Can you try a full blown hardening and pass bugs my way, ie open gentoo bug reports. I wouldn't just start black/white listing because somethings might be easy fixes. On 11/09/2012 11:09 AM, Mitch Harder wrote: We need to decide on our next step for rolling out hardened Sabayon. My proposal would be (1) Add all the @system packages to the white list and rebuild them. (2) Add Xorg to the white list during a time period we'll be able to react to any issues. If no issues, (3) From here, go from white-listing to black-listing. As far as it goes, I've done several systems on Hardened now, and I've never had any run-time package problems resulting from just letting everything go hardened as they're rebuilt. I've had a very few build problems, but it has been a while since I've ran into any of those. But I think it would be best to flip the white-list/black-list switch with some lead time before the next freeze. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
Re: [sabayon-dev] Next Round of Hardened
On amd64, the perf hit will be minimal. On x86 it will be substantial. On 11/09/2012 02:08 PM, Steven Cristian wrote: You sure there won't be any optimization of the code breakage and no performance cost? I'm kinda scared of hardening almost all packages of the system On Fri, Nov 9, 2012 at 9:03 PM, Joost Ruisjoost.r...@sabayonlinux.orgwrote: Fine with me. On Fri, Nov 9, 2012 at 5:09 PM, Mitch Harder mitch.har...@sabayonlinux.org wrote: We need to decide on our next step for rolling out hardened Sabayon. My proposal would be (1) Add all the @system packages to the white list and rebuild them. (2) Add Xorg to the white list during a time period we'll be able to react to any issues. If no issues, (3) From here, go from white-listing to black-listing. As far as it goes, I've done several systems on Hardened now, and I've never had any run-time package problems resulting from just letting everything go hardened as they're rebuilt. I've had a very few build problems, but it has been a while since I've ran into any of those. But I think it would be best to flip the white-list/black-list switch with some lead time before the next freeze. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
Re: [sabayon-dev] Next Round of Hardened
Will you be benchmarking both amd64 and x86? On 11/09/2012 04:12 PM, Mitch Harder wrote: Yes, the purpose of hardened sources is enhanced security. On Fri, Nov 9, 2012 at 2:22 PM, Steven Cristian stefan.crist...@best.eu.org wrote: Well, and the gains is more security, should I understand? On Fri, Nov 9, 2012 at 10:07 PM, Anthony G. Basilebluen...@gentoo.org wrote: On amd64, the perf hit will be minimal. On x86 it will be substantial. On 11/09/2012 02:08 PM, Steven Cristian wrote: You sure there won't be any optimization of the code breakage and no performance cost? I'm kinda scared of hardening almost all packages of the system On Fri, Nov 9, 2012 at 9:03 PM, Joost Ruisjoost.r...@sabayonlinux.orgwrote: Fine with me. On Fri, Nov 9, 2012 at 5:09 PM, Mitch Harder mitch.har...@sabayonlinux.org wrote: We need to decide on our next step for rolling out hardened Sabayon. My proposal would be (1) Add all the @system packages to the white list and rebuild them. (2) Add Xorg to the white list during a time period we'll be able to react to any issues. If no issues, (3) From here, go from white-listing to black-listing. As far as it goes, I've done several systems on Hardened now, and I've never had any run-time package problems resulting from just letting everything go hardened as they're rebuilt. I've had a very few build problems, but it has been a while since I've ran into any of those. But I think it would be best to flip the white-list/black-list switch with some lead time before the next freeze. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535 -- Lead-Developer at Project Rogentos (Romanian Gentoo Operating System) GNU/Linux. Based on Sabayon and Gentoo Linux, Rogentos tends to offer support mainly for all Romanian Linux users and entrepreneurs which seek to learn an open and free system based on true values :) http://rogentos.ro www.facebook.com/RogentosLinux https://plus.google.com/106559511636021124919/ Google+ -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
Re: [sabayon-dev] Next Round of Hardened
At this time, I don't have any specific benchmarking agenda planned. But I do have a x86 and two amd64 side-by-side reference systems for evaluating issues. In the past, I haven't been able to observe a significant performance issue unless I utilized a specially crafted benchmark designed to highlight something about hardened. That's the big drawback of benchmarking, usually each benchmark only highlights specifically what it was designed look for. And many benchmarks do it in a way that doesn't translate to most people's real world experience. On Fri, Nov 9, 2012 at 3:25 PM, Anthony G. Basile bluen...@gentoo.org wrote: Will you be benchmarking both amd64 and x86? On 11/09/2012 04:12 PM, Mitch Harder wrote: Yes, the purpose of hardened sources is enhanced security. On Fri, Nov 9, 2012 at 2:22 PM, Steven Cristian stefan.crist...@best.eu.org wrote: Well, and the gains is more security, should I understand? On Fri, Nov 9, 2012 at 10:07 PM, Anthony G. Basilebluen...@gentoo.org wrote: On amd64, the perf hit will be minimal. On x86 it will be substantial. On 11/09/2012 02:08 PM, Steven Cristian wrote: You sure there won't be any optimization of the code breakage and no performance cost? I'm kinda scared of hardening almost all packages of the system On Fri, Nov 9, 2012 at 9:03 PM, Joost Ruisjoost.r...@sabayonlinux.orgwrote: Fine with me. On Fri, Nov 9, 2012 at 5:09 PM, Mitch Harder mitch.har...@sabayonlinux.org wrote: We need to decide on our next step for rolling out hardened Sabayon. My proposal would be (1) Add all the @system packages to the white list and rebuild them. (2) Add Xorg to the white list during a time period we'll be able to react to any issues. If no issues, (3) From here, go from white-listing to black-listing. As far as it goes, I've done several systems on Hardened now, and I've never had any run-time package problems resulting from just letting everything go hardened as they're rebuilt. I've had a very few build problems, but it has been a while since I've ran into any of those. But I think it would be best to flip the white-list/black-list switch with some lead time before the next freeze. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535 -- Lead-Developer at Project Rogentos (Romanian Gentoo Operating System) GNU/Linux. Based on Sabayon and Gentoo Linux, Rogentos tends to offer support mainly for all Romanian Linux users and entrepreneurs which seek to learn an open and free system based on true values :) http://rogentos.ro www.facebook.com/RogentosLinux https://plus.google.com/106559511636021124919/ Google+ -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535