Re: [gentoo-dev] New 17.0 release profiles

2017-06-17 Thread Walter Dnes 
On Thu, Jun 15, 2017 at 11:41:11PM +0200, Andreas K. Huettel wrote

> Check the /etc/portage/make.profile symlink. It points to the
> eselected profile.  Replace that symlink with a new one pointing to
> the corresponding 17.0 directory.

  I just synced and updated world.  Profile 17.0 exists for amd64 but
not for x86.  Is that supposed to be the case?  This is a Core2 Due from
2008, with 3 gigs or ram, which I'm running as x86 (32-bit).

[d531][root][~] ll /usr/portage/profiles/default/linux/amd64
total 32
drwxr-xr-x  5 root root 4096 Jun 13 14:27 .
drwxr-xr-x 18 root root 4096 May  9 16:48 ..
drwxr-xr-x  8 root root 4096 May  8 19:21 13.0
drwxr-xr-x  8 root root 4096 Jun 13 14:27 17.0
drwxr-xr-x  3 root root 4096 May  8 19:21 dev
-rw-r--r--  1 root root2 Aug  8  2015 eapi
-rw-r--r--  1 root root  340 Feb 28 14:50 package.use.mask
-rw-r--r--  1 root root   37 Aug  8  2015 parent

[d531][root][~] ll /usr/portage/profiles/default/linux/x86  
total 24
drwxr-xr-x  3 root root 4096 May  9 16:48 .
drwxr-xr-x 18 root root 4096 May  9 16:48 ..
drwxr-xr-x  6 root root 4096 May  8 19:21 13.0
-rw-r--r--  1 root root2 Aug  8  2015 eapi
-rw-r--r--  1 root root  340 Feb 28 14:50 package.use.mask
-rw-r--r--  1 root root   35 Aug  8  2015 parent

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-dev] Hardening a default profile

2017-06-17 Thread Alexis Ballier 
On Sat, 17 Jun 2017 14:43:24 +0300
Andrew Savchenko  wrote:

> On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote:
> > > there should be a way of turning these off systematically.  the
> > > advantage of the current hardened gcc specs is that one can switch
> > > between them using gcc-config.  if these are forced on for the
> > > default profile then there will be no easy way to systematically
> > > turn them off.  
> > 
> > No - there won't be an easy way for systematically turning off
> > SSP and PIE in 17.0 profiles [1,2].
> > 
> > The hardened toolchain with its different gcc profiles came from a
> > time where SSP and PIE were relatively new security features and a
> > certain amount of fine-grained control was needed. Further, at that
> > time we were talking about external patches against gcc. Nowadays
> > everything is upstreamed and (almost) no patches to gcc for
> > hardened profiles are applied any more.
> > 
> > Given the fact that all major linux distributions are following the
> > path of improved default hardening features (see for example [1])
> > and that we have been using ssp/pie in hardened profiles for years
> > now the purpose of fine-grained control over ssp/pie is also highly
> > questionable.
> > 
> > The consensus at the moment is that PIE and SSP (as well as stricter
> > linker flags) will soon be standard (or, actually *are* already
> > standard) compilation options. A per-package override (if
> > absoluetely needed) is fine - and, in fact, already in place
> > everywhere where needed.  
> 
> Gentoo is all about choice, remember? :)
> 
> It is really good to have them by default, it is bad to force them
> on everyone. Security is not always of paramount importance
> comparing to other factors, sometimes performance matters more,
> e.g. in isolated and restricted non-public HPC environment.
> 
> PIE, SSP may lead up to 8% of performance loss[1]. The
> stack-protector (especially stack-protector-all or -strong) may
> cause even more damage. For compute nodes this may be equivalent to
> millions USD loss (depends on the system scale of course).

This can probably be fixed by a gcc-config target disabling those as it
used to be the case on hardened

Re: [gentoo-dev] Hardening a default profile

2017-06-17 Thread Andrew Savchenko 
On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote:
> > there should be a way of turning these off systematically.  the
> > advantage of the current hardened gcc specs is that one can switch
> > between them using gcc-config.  if these are forced on for the default
> > profile then there will be no easy way to systematically turn them off.
> 
> No - there won't be an easy way for systematically turning off
> SSP and PIE in 17.0 profiles [1,2].
> 
> The hardened toolchain with its different gcc profiles came from a time
> where SSP and PIE were relatively new security features and a certain
> amount of fine-grained control was needed. Further, at that time we were
> talking about external patches against gcc. Nowadays everything is
> upstreamed and (almost) no patches to gcc for hardened profiles are
> applied any more.
> 
> Given the fact that all major linux distributions are following the path
> of improved default hardening features (see for example [1]) and that we
> have been using ssp/pie in hardened profiles for years now the purpose
> of fine-grained control over ssp/pie is also highly questionable.
> 
> The consensus at the moment is that PIE and SSP (as well as stricter
> linker flags) will soon be standard (or, actually *are* already
> standard) compilation options. A per-package override (if absoluetely
> needed) is fine - and, in fact, already in place everywhere where
> needed.

Gentoo is all about choice, remember? :)

It is really good to have them by default, it is bad to force them
on everyone. Security is not always of paramount importance
comparing to other factors, sometimes performance matters more,
e.g. in isolated and restricted non-public HPC environment.

PIE, SSP may lead up to 8% of performance loss[1]. The
stack-protector (especially stack-protector-all or -strong) may
cause even more damage. For compute nodes this may be equivalent to
millions USD loss (depends on the system scale of course).

[1] https://bugs.archlinux.org/task/18864

Best regards,
Andrew Savchenko


pgpmrLyPiaNJH.pgp
Description: PGP signature

[gentoo-dev] Lastrites: 4 packages incompatible with ffmpeg-3

2017-06-17 Thread Pacho Ramos 
# Pacho Ramos  (17 Jun 2017)
# Not compatible with ffmpeg-3 (#602786), other bug reports and NPAPI
# plugins support in main browsers is dying. Removal in a month.
www-plugins/gnash

# Pacho Ramos  (17 Jun 2017)
# Not compatible with ffmpeg-3 (#591946), neither builds without ffmpeg
# support (#607492) and NPAPI plugins are dying. Removal in a month.
www-plugins/lightspark

# Pacho Ramos  (17 Jun 2017)
# Not compatible with ffmpeg-3 (#589806) and needs vulnerable qtwebkit:4
# (#620740). Removal in a month.
net-voip/homer

# Pacho Ramos  (17 Jun 2017)
# Dead for ages, relies on google-code for fetching, not compatible with
# ffmpeg-3 neither with latest imagemagick (#575988). Removal in a month.
media-sound/gejengel

[gentoo-dev] Re: Gentoo Council 2017 / 2018 election

2017-06-17 Thread Michael Palimaka 
On 06/17/2017 03:56 AM, Alice Ferrazzi wrote:
> I nominate:
> 
> blueness
> gokturk
> maffblaster
> kensington
> mrueg
> Soap
> mgorny
> 
> -- 
> アリス フェッラッツィ
> Alice Ferrazzi
> 
> Gentoo Kernel Project Leader
> Mail: Alice Ferrazzi >
> PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A

Thanks, but I decline.