Re: [gentoo-dev] Moving more hardening features to default?

2011-10-25 Thread Paweł Hajdan, Jr.
On 10/25/11 5:11 PM, Rich Freeman wrote: > And "Debian is doing it" or whatever isn't actually a bad reason to > consider this. When Debian does something by default, it means that > upstream packages will take notice. Right, I was thinking about the change for a long time, but if Debian, which a

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-25 Thread Rich Freeman
On Tue, Oct 25, 2011 at 10:18 AM, Kacper Kowalik wrote: > 2) What's wrong with current approach i.e. having seperate hardened profile? I don't really see the hardened profile and some hardening by default as being redundant. When I think about the hardened profile I think high security at the co

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-25 Thread Patrick Lauer
On 10/25/11 16:18, Kacper Kowalik wrote: W dniu 20.10.2011 10:47, "Paweł Hajdan, Jr." pisze: I've noticed , i.e. Debian is starting to make more and more hardening features default, at least for most packages. Should we start doin

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-25 Thread Kacper Kowalik
W dniu 20.10.2011 10:47, "Paweł Hajdan, Jr." pisze: > I've noticed > , i.e. > Debian is starting to make more and more hardening features default, at > least for most packages. > > Should we start doing that too? What are possible pr

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Magnus Granberg
torsdag 20 oktober 2011 13.17.33 skrev Mike Frysinger: > On Thursday 20 October 2011 12:47:27 Rich Freeman wrote: > > I was trying to draw a contrast between passive things like > > stack-protection and things that really get in your face like MAC. > > the trouble was in the context quoting then

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Mike Frysinger
On Thursday 20 October 2011 12:47:27 Rich Freeman wrote: > I was trying to draw a contrast between passive things like > stack-protection and things that really get in your face like MAC. the trouble was in the context quoting then ... it sounded like you were proposing PaX by default i am a fan

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Rich Freeman
On Thu, Oct 20, 2011 at 10:36 AM, Anthony G. Basile wrote: > I would not recommend PaX at this time.  As Mike said, it breaks things, > sometimes important things.  Eg. python ctypes was broken there for a > while on hardened.  Also, unlike toolchain, it requires that you > configure your kernel c

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Anthony G. Basile
On 10/20/2011 08:57 AM, Mike Frysinger wrote: > On Thursday 20 October 2011 08:41:55 Rich Freeman wrote: >> 2011/10/20 Tomáš Chvátal: >>> I would say that most hardened features should be merged to to main >>> profile as soon as they won't cause major PITA for the regular users. >> I agree - especi

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Mike Frysinger
On Thursday 20 October 2011 08:41:55 Rich Freeman wrote: > 2011/10/20 Tomáš Chvátal: > > I would say that most hardened features should be merged to to main > > profile as soon as they won't cause major PITA for the regular users. > > I agree - especially for stuff that doesn't require active setu

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Mike Frysinger
On Thursday 20 October 2011 04:47:14 Paweł Hajdan, Jr. wrote: > I've noticed > , i.e. > Debian is starting to make more and more hardening features default, at > least for most packages. seems a bit light on what actually is being us

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Rich Freeman
2011/10/20 Tomáš Chvátal : > I would say that most hardened features should be merged to to main > profile as soon as they won't cause major PITA for the regular users. I agree - especially for stuff that doesn't require active setup (stack protection, PaX, etc). If there are features that we cou

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Tomáš Chvátal
2011/10/20 Anthony G. Basile : > USE=hardened refers to only toolchain hardening.  The problems there are > mostly packages which break with PIE because they (ab)use assembly. > Things like virtualbox and some codecs.  This can become a thorny mess. > > It would probably be nearly painless to brin

Re: [gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Anthony G. Basile
On 10/20/2011 04:47 AM, "Paweł Hajdan, Jr." wrote: > I've noticed > , i.e. > Debian is starting to make more and more hardening features default, at > least for most packages. > > Should we start doing that too? What are possible prob

[gentoo-dev] Moving more hardening features to default?

2011-10-20 Thread Paweł Hajdan, Jr.
I've noticed , i.e. Debian is starting to make more and more hardening features default, at least for most packages. Should we start doing that too? What are possible problems with that? It seems like it's mostly about USE=hardened,