Re: [gentoo-user] About using only precompiled pkgs
On 07/05/17 08:57, Harry Putnam wrote: > I skimmed thru some of the documentation about using binary pkgs > online, but it kind of indicated it might not be possible to get > everything in that format. > > Wondering if using mostly binary pkgs is a biggish hassle or if it can > be done... and done without the time-sink always involved in `emerge > world'..(over time)? > > As a longish time gentoo user (more than 12 yrs at a guess)... I can > only guess at the enormous amount of time I've spent getting thru > various aspects of `emerge world'. I am sure it would be quite an > astounding figure. > > Due to an unusual thickness of skull... I may have spent more time > than the average bear. > > So, can someone be a gentoo user and NOT subscribe to one of the > main tenets of the gentoo view of things. > > > Yep, just select a gentoo derivative distro [1] that puts out binaries as an alternative. But then when you do not find a binary for what you want, you mostly end up with a 'one-off' to 'hokey' manual install semantic. Most folks astute enough to run gentoo, fear binaries put together and offered as part of a distro. Are checksums enough to ensure the integrity of internet available binaries? I'd suspect that is a common attack vector for today's interlopers CoreOS may be good for you, if you can stomach systemd. caveat emptor... hth, James [1] https://wiki.gentoo.org/wiki/Distributions_based_on_Gentoo
Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.
On 07/04/17 23:16, Walter Dnes wrote: > On Tue, Jul 04, 2017 at 01:37:38PM -0400, james wrote > >> W. Dnes is the king of minimalist here, so when he gives advise >> realize it has decades of experimentation to get to where he is on >> minimization. > > Not exactly "decades". I first started linux in late 1999 or early > 2000. The minimalist approach was a side-effect of me being cheap. > Even though I have a newer machine as my "hot backup" waiting in the > wings, I want to run my older machine into the ground first. 10 years > ago I was running a 450 mhz pentium3 with 256 megabytes of ram. Today > I'm running a 2008 Dell with Core2 Duo and 3 gigs of ram today. I have > a newer i6 with 8 gigs of ram as the hot backup. Running an older > limited machine forces you to optimize. The Gentoo USE flags give me > the control to do the utmost minimization. > > I run the plain default/linux profile, and ICEWM as my WM and no > "desktop environment" (as per my sig). The less attack surface, the > better. Do not run the Flash plugin or the Java plugin. If you > absolutely have to do so, use it inside a VM (e.g. QEMU). I have an > aggressive handcrafted iptables firewall. In addition, my little LAN > sits behind a NAT-ing router, and I disable UPNP. That covers my > approach to security. > > I run mostly stable, except where an app I want/need is only unstable. > Gentoo currently defaults to gcc-5.4.0. I've enabled 6.3.0. I have to > enable ICEWM 1.3.12-r1. The regular stable version built under gcc > 6.3.0 segfaults 1 or 2 seconds after starting. > > I used to run with USE="-* blah blah blah". I no longer do that, but > I aggressively disable USE flags, until something breaks, then I back > off. My current USE line (it's actually one long line)... > > USE="X apng bindist ffmpeg jpeg opengl png szip truetype x264 x265 xorg > threads webp -acl -berkdb -caps -cracklib -crypt -filecaps -gallium > -gdbm -graphite -gstreamer -iconv -introspection -ipc -iptables -ipv6 > -libav -llvm -manpager -nls -openmp -pam -pch -sendmail -tcpd -udev > -udisks -unicode -xinerama" > > Some of the above is over-ridden in package.use. > Well, now that's a good summary (starting point) for a minimized gentoo system. The gentoo-devs have been discussing changes to the profiles, but I'm not certain where that has ended up. I just use the 'default' and go from there, or the simplest 'hardened' profile that is cpu relevant. I'm not sure of the most straight forward way to compare flag setting (the difference) between any two profiles for a new installer to examine; perhaps somebody else has a straight forward method to compare current profiles, within a given architecture? Surely at look at the contents of @system set is a good starting point for a new gentooer to see what he gets no matter which profile he selects? Then there is the 'experimental' profiles that the devs keep moving around; who knows what's up with those mavericks Hopefully the AliceF [1] GSoC work will result in some structure to to follow for a minimized and hardened kernel going forward. Even in the gentoo-sources kernel there is much that can be stripped out, reducing bloat at the least and probably reducing attack venues too. During this process, I keep several bootable kernels available so reverting is easy. Perhaps there is a gentoo wiki page that at least outlines the manual processes (a structured approach) as users go down the pathway of stripping out what their workstation does not need in a kernel? Perhaps someone has a slick, home-spun, tool that readily identifies what can be additionally stripped from the current kernel offerings on the pathway to minimized_nirvana ? Then there's NFTables; not sure anything useful is published on NFTables, nor how effective it is for a workstation firewall... [3] Thanks Watler for sharing. Increasing the population of (OpenRC et. al.) minimalists is always welcome as our numbers are growing every day; not that one is bound to OpenRC to be a gentoo_minimalist. hth, James [1] https://blogs.gentoo.org/alicef/ https://archives.gentoo.org/gentoo-soc/threads/2017-06/ [3] https://wiki.gentoo.org/wiki/Nftables
Re: [gentoo-user] About using only precompiled pkgs
On Wed, Jul 5, 2017 at 8:57 AM, Harry Putnamwrote: > I skimmed thru some of the documentation about using binary pkgs > online, but it kind of indicated it might not be possible to get > everything in that format. As long as you use the default USE flags I don't see why you wouldn't be able to get everything online which is binary-redistributable. If you want USE=-bindist (which most people do) that list is going to be smaller. The biggest issue is that I don't think anybody maintains a public repository of packages. Tools exist to build one, and I'm sure that organizations may use these internally. However, there isn't anywhere a user can just point portage at and ask it to go fetching binary packages. > > Wondering if using mostly binary pkgs is a biggish hassle or if it can > be done... and done without the time-sink always involved in `emerge > world'..(over time)? For a single system there isn't much benefit in general, though for reinstalls you can certainly save binary packages of everything you do build. I do this for everything I build. I also have Gentoo pre-build binary packages where it can overnight so that I can do quick installs during the day after reviewing the list of new packages to install. However, I'm still building everything once no matter what, so it doesn't save on CPU. I'm just time-shifting the builds to before when I review the package update list (I don't blindly install updates). If I had multiple identical hosts then the binary packages would probably save me a heap of time though. > So, can someone be a gentoo user and NOT subscribe to one of the > main tenets of the gentoo view of things. Building packages is a means to an end - finding ways to do it only as much as possible merely makes you efficient, and I'd certainly say that this is in the spirit of Gentoo. I'd love to see a Gentoo binary repository with default USE flags, with the package manager being smart enough to find whether the configuration it wants to install happens to be pre-built. Users could still tweak USE flags. Obviously tweaking global USE flags is going to make most of the binary packages useless and it would fall back to current behavior. However, if you only wanted to tweak flags that impact a subset of the packages you'd benefit from the binary builds of anything your settings didn't touch. CFLAGS would be a bigger problem. While I imagine that we could have more than one set of those pre-built we certainly couldn't cover every variation Gentoo users want. CFLAGS have a much wider impact than even USE flags. Something like this would probably also drive changes like changing USE=-docs to an install mask. There is no sense keeping two versions of a binary package around just to avoid installing docs. -- Rich
[gentoo-user] About using only precompiled pkgs
I skimmed thru some of the documentation about using binary pkgs online, but it kind of indicated it might not be possible to get everything in that format. Wondering if using mostly binary pkgs is a biggish hassle or if it can be done... and done without the time-sink always involved in `emerge world'..(over time)? As a longish time gentoo user (more than 12 yrs at a guess)... I can only guess at the enormous amount of time I've spent getting thru various aspects of `emerge world'. I am sure it would be quite an astounding figure. Due to an unusual thickness of skull... I may have spent more time than the average bear. So, can someone be a gentoo user and NOT subscribe to one of the main tenets of the gentoo view of things.