Re: [gentoo-user] About using only precompiled pkgs

2017-07-05 Thread james 
On 07/05/17 08:57, Harry Putnam wrote:
> I skimmed thru some of the documentation about using binary pkgs
> online, but it kind of indicated it might not be possible to get
> everything in that format.
> 
> Wondering if using mostly binary pkgs is a biggish hassle or if it can
> be done... and done without the time-sink always involved in `emerge
> world'..(over time)?
> 
> As a longish time gentoo user (more than 12 yrs at a guess)... I can
> only guess at the enormous amount of time I've spent getting thru
> various aspects of `emerge world'.  I am sure it would be quite an
> astounding figure.
> 
> Due to an unusual thickness of skull... I may have spent more time
> than the average bear.
> 
> So, can someone be a gentoo user and NOT subscribe to one of the
> main tenets of the gentoo view of things.
> 
> 
> 

Yep, just select a gentoo derivative distro [1] that puts out binaries
as an alternative.  But then when you do not find a binary for what you
want, you mostly end up with a 'one-off' to 'hokey' manual install
semantic. Most folks astute enough to run gentoo, fear binaries put
together and offered as part of a distro. Are checksums enough to ensure
the integrity of internet available binaries?  I'd suspect that is a
common attack vector for today's interlopers

CoreOS  may be good for you, if you can stomach systemd.

caveat emptor...



hth,
James

[1] https://wiki.gentoo.org/wiki/Distributions_based_on_Gentoo

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

2017-07-05 Thread james 
On 07/04/17 23:16, Walter Dnes wrote:
> On Tue, Jul 04, 2017 at 01:37:38PM -0400, james wrote
> 
>> W. Dnes is the king of minimalist here, so when he gives advise
>> realize it has decades of experimentation to get to where he is on
>> minimization.
> 
>   Not exactly "decades".  I first started linux in late 1999 or early
> 2000.  The minimalist approach was a side-effect of me being cheap.
> Even though I have a newer machine as my "hot backup" waiting in the
> wings, I want to run my older machine into the ground first.  10 years
> ago I was running a 450 mhz pentium3 with 256 megabytes of ram.  Today
> I'm running a 2008 Dell with Core2 Duo and 3 gigs of ram today.  I have
> a newer i6 with 8 gigs of ram as the hot backup.  Running an older
> limited machine forces you to optimize.  The Gentoo USE flags give me
> the control to do the utmost minimization.
> 
>   I run the plain default/linux profile, and ICEWM as my WM and no
> "desktop environment" (as per my sig).  The less attack surface, the
> better.  Do not run the Flash plugin or the Java plugin.  If you
> absolutely have to do so, use it inside a VM (e.g. QEMU).  I have an
> aggressive handcrafted iptables firewall.  In addition, my little LAN
> sits behind a NAT-ing router, and I disable UPNP.  That covers my
> approach to security.
> 
>   I run mostly stable, except where an app I want/need is only unstable.
> Gentoo currently defaults to gcc-5.4.0.  I've enabled 6.3.0.  I have to
> enable ICEWM 1.3.12-r1.  The regular stable version built under gcc
> 6.3.0 segfaults 1 or 2 seconds after starting.
> 
>   I used to run with USE="-* blah blah blah".  I no longer do that, but
> I aggressively disable USE flags, until something breaks, then I back
> off.  My current USE line (it's actually one long line)...
> 
> USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg
> threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium
> -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6
> -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev
> -udisks -unicode -xinerama"
> 
>   Some of the above is over-ridden in package.use.
> 

Well, now that's a good summary (starting point) for a minimized gentoo
system. The gentoo-devs have been discussing changes to the profiles,
but I'm not certain where that has ended up. I just use the 'default'
and go from there, or the simplest 'hardened' profile that is cpu
relevant. I'm not sure of the most straight forward way to compare
flag setting (the difference) between any two profiles for a new
installer to examine; perhaps somebody else has a straight forward
method to compare current profiles, within a given architecture?

Surely at look at the contents of @system set is a good starting point
for a new gentooer to see what he gets no matter which profile he
selects?  Then there is the 'experimental' profiles that the devs keep
moving around; who knows what's up with those mavericks


Hopefully the AliceF [1] GSoC work will result in some structure to to
follow for a minimized and hardened kernel going forward. Even in the
gentoo-sources kernel there is much that can be stripped out, reducing
bloat at the least and probably reducing attack venues too. During this
process, I keep several bootable kernels available so reverting is easy.
Perhaps there is a gentoo wiki page that at least outlines the manual
processes (a structured approach) as users go down the pathway of
stripping out what their workstation does not need in a kernel?

Perhaps someone has a slick, home-spun, tool that readily identifies
what can be additionally stripped from the current  kernel offerings on
the pathway to minimized_nirvana ?


Then there's NFTables; not sure anything useful is published on
NFTables, nor how effective it is for a workstation firewall... [3]

Thanks Watler for sharing. Increasing the population of (OpenRC et. al.)
minimalists is always welcome as our numbers are growing every day;
not that one is bound to OpenRC to be a gentoo_minimalist.



hth,
James

[1] https://blogs.gentoo.org/alicef/
https://archives.gentoo.org/gentoo-soc/threads/2017-06/

[3] https://wiki.gentoo.org/wiki/Nftables

Re: [gentoo-user] About using only precompiled pkgs

2017-07-05 Thread Rich Freeman 
On Wed, Jul 5, 2017 at 8:57 AM, Harry Putnam  wrote:
> I skimmed thru some of the documentation about using binary pkgs
> online, but it kind of indicated it might not be possible to get
> everything in that format.

As long as you use the default USE flags I don't see why you wouldn't
be able to get everything online which is binary-redistributable.  If
you want USE=-bindist (which most people do) that list is going to be
smaller.

The biggest issue is that I don't think anybody maintains a public
repository of packages.  Tools exist to build one, and I'm sure that
organizations may use these internally.  However, there isn't anywhere
a user can just point portage at and ask it to go fetching binary
packages.

>
> Wondering if using mostly binary pkgs is a biggish hassle or if it can
> be done... and done without the time-sink always involved in `emerge
> world'..(over time)?

For a single system there isn't much benefit in general, though for
reinstalls you can certainly save binary packages of everything you do
build.  I do this for everything I build.  I also have Gentoo
pre-build binary packages where it can overnight so that I can do
quick installs during the day after reviewing the list of new packages
to install.

However, I'm still building everything once no matter what, so it
doesn't save on CPU.  I'm just time-shifting the builds to before when
I review the package update list (I don't blindly install updates).

If I had multiple identical hosts then the binary packages would
probably save me a heap of time though.

> So, can someone be a gentoo user and NOT subscribe to one of the
> main tenets of the gentoo view of things.

Building packages is a means to an end - finding ways to do it only as
much as possible merely makes you efficient, and I'd certainly say
that this is in the spirit of Gentoo.

I'd love to see a Gentoo binary repository with default USE flags,
with the package manager being smart enough to find whether the
configuration it wants to install happens to be pre-built.  Users
could still tweak USE flags.  Obviously tweaking global USE flags is
going to make most of the binary packages useless and it would fall
back to current behavior.  However, if you only wanted to tweak flags
that impact a subset of the packages you'd benefit from the binary
builds of anything your settings didn't touch.

CFLAGS would be a bigger problem.  While I imagine that we could have
more than one set of those pre-built we certainly couldn't cover every
variation Gentoo users want.  CFLAGS have a much wider impact than
even USE flags.

Something like this would probably also drive changes like changing
USE=-docs to an install mask.  There is no sense keeping two versions
of a binary package around just to avoid installing docs.

-- 
Rich

[gentoo-user] About using only precompiled pkgs

2017-07-05 Thread Harry Putnam 
I skimmed thru some of the documentation about using binary pkgs
online, but it kind of indicated it might not be possible to get
everything in that format.

Wondering if using mostly binary pkgs is a biggish hassle or if it can
be done... and done without the time-sink always involved in `emerge
world'..(over time)?

As a longish time gentoo user (more than 12 yrs at a guess)... I can
only guess at the enormous amount of time I've spent getting thru
various aspects of `emerge world'.  I am sure it would be quite an
astounding figure.

Due to an unusual thickness of skull... I may have spent more time
than the average bear.

So, can someone be a gentoo user and NOT subscribe to one of the
main tenets of the gentoo view of things.