Re: [gentoo-dev] New 17.0 release profiles
On Thu, Jun 15, 2017 at 11:41:11PM +0200, Andreas K. Huettel wrote > Check the /etc/portage/make.profile symlink. It points to the > eselected profile. Replace that symlink with a new one pointing to > the corresponding 17.0 directory. I just synced and updated world. Profile 17.0 exists for amd64 but not for x86. Is that supposed to be the case? This is a Core2 Due from 2008, with 3 gigs or ram, which I'm running as x86 (32-bit). [d531][root][~] ll /usr/portage/profiles/default/linux/amd64 total 32 drwxr-xr-x 5 root root 4096 Jun 13 14:27 . drwxr-xr-x 18 root root 4096 May 9 16:48 .. drwxr-xr-x 8 root root 4096 May 8 19:21 13.0 drwxr-xr-x 8 root root 4096 Jun 13 14:27 17.0 drwxr-xr-x 3 root root 4096 May 8 19:21 dev -rw-r--r-- 1 root root2 Aug 8 2015 eapi -rw-r--r-- 1 root root 340 Feb 28 14:50 package.use.mask -rw-r--r-- 1 root root 37 Aug 8 2015 parent [d531][root][~] ll /usr/portage/profiles/default/linux/x86 total 24 drwxr-xr-x 3 root root 4096 May 9 16:48 . drwxr-xr-x 18 root root 4096 May 9 16:48 .. drwxr-xr-x 6 root root 4096 May 8 19:21 13.0 -rw-r--r-- 1 root root2 Aug 8 2015 eapi -rw-r--r-- 1 root root 340 Feb 28 14:50 package.use.mask -rw-r--r-- 1 root root 35 Aug 8 2015 parent -- Walter DnesI don't run "desktop environments"; I run useful applications
Re: [gentoo-dev] Hardening a default profile
On Sat, 17 Jun 2017 14:43:24 +0300 Andrew Savchenkowrote: > On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote: > > > there should be a way of turning these off systematically. the > > > advantage of the current hardened gcc specs is that one can switch > > > between them using gcc-config. if these are forced on for the > > > default profile then there will be no easy way to systematically > > > turn them off. > > > > No - there won't be an easy way for systematically turning off > > SSP and PIE in 17.0 profiles [1,2]. > > > > The hardened toolchain with its different gcc profiles came from a > > time where SSP and PIE were relatively new security features and a > > certain amount of fine-grained control was needed. Further, at that > > time we were talking about external patches against gcc. Nowadays > > everything is upstreamed and (almost) no patches to gcc for > > hardened profiles are applied any more. > > > > Given the fact that all major linux distributions are following the > > path of improved default hardening features (see for example [1]) > > and that we have been using ssp/pie in hardened profiles for years > > now the purpose of fine-grained control over ssp/pie is also highly > > questionable. > > > > The consensus at the moment is that PIE and SSP (as well as stricter > > linker flags) will soon be standard (or, actually *are* already > > standard) compilation options. A per-package override (if > > absoluetely needed) is fine - and, in fact, already in place > > everywhere where needed. > > Gentoo is all about choice, remember? :) > > It is really good to have them by default, it is bad to force them > on everyone. Security is not always of paramount importance > comparing to other factors, sometimes performance matters more, > e.g. in isolated and restricted non-public HPC environment. > > PIE, SSP may lead up to 8% of performance loss[1]. The > stack-protector (especially stack-protector-all or -strong) may > cause even more damage. For compute nodes this may be equivalent to > millions USD loss (depends on the system scale of course). This can probably be fixed by a gcc-config target disabling those as it used to be the case on hardened
Re: [gentoo-dev] Hardening a default profile
On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote: > > there should be a way of turning these off systematically. the > > advantage of the current hardened gcc specs is that one can switch > > between them using gcc-config. if these are forced on for the default > > profile then there will be no easy way to systematically turn them off. > > No - there won't be an easy way for systematically turning off > SSP and PIE in 17.0 profiles [1,2]. > > The hardened toolchain with its different gcc profiles came from a time > where SSP and PIE were relatively new security features and a certain > amount of fine-grained control was needed. Further, at that time we were > talking about external patches against gcc. Nowadays everything is > upstreamed and (almost) no patches to gcc for hardened profiles are > applied any more. > > Given the fact that all major linux distributions are following the path > of improved default hardening features (see for example [1]) and that we > have been using ssp/pie in hardened profiles for years now the purpose > of fine-grained control over ssp/pie is also highly questionable. > > The consensus at the moment is that PIE and SSP (as well as stricter > linker flags) will soon be standard (or, actually *are* already > standard) compilation options. A per-package override (if absoluetely > needed) is fine - and, in fact, already in place everywhere where > needed. Gentoo is all about choice, remember? :) It is really good to have them by default, it is bad to force them on everyone. Security is not always of paramount importance comparing to other factors, sometimes performance matters more, e.g. in isolated and restricted non-public HPC environment. PIE, SSP may lead up to 8% of performance loss[1]. The stack-protector (especially stack-protector-all or -strong) may cause even more damage. For compute nodes this may be equivalent to millions USD loss (depends on the system scale of course). [1] https://bugs.archlinux.org/task/18864 Best regards, Andrew Savchenko pgpmrLyPiaNJH.pgp Description: PGP signature
[gentoo-dev] Lastrites: 4 packages incompatible with ffmpeg-3
# Pacho Ramos(17 Jun 2017) # Not compatible with ffmpeg-3 (#602786), other bug reports and NPAPI # plugins support in main browsers is dying. Removal in a month. www-plugins/gnash # Pacho Ramos (17 Jun 2017) # Not compatible with ffmpeg-3 (#591946), neither builds without ffmpeg # support (#607492) and NPAPI plugins are dying. Removal in a month. www-plugins/lightspark # Pacho Ramos (17 Jun 2017) # Not compatible with ffmpeg-3 (#589806) and needs vulnerable qtwebkit:4 # (#620740). Removal in a month. net-voip/homer # Pacho Ramos (17 Jun 2017) # Dead for ages, relies on google-code for fetching, not compatible with # ffmpeg-3 neither with latest imagemagick (#575988). Removal in a month. media-sound/gejengel
[gentoo-dev] Re: Gentoo Council 2017 / 2018 election
On 06/17/2017 03:56 AM, Alice Ferrazzi wrote: > I nominate: > > blueness > gokturk > maffblaster > kensington > mrueg > Soap > mgorny > > -- > アリス フェッラッツィ > Alice Ferrazzi > > Gentoo Kernel Project Leader > Mail: Alice Ferrazzi> > PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A Thanks, but I decline.