[gentoo-user] Re: secure programing language?

2018-05-08 Thread Ian Zimmerman 
On 2018-05-08 21:41, Canek Peláez Valdés wrote:

> > So are there currently any languages (currently in use/supported)
> > designed to avoid the problems with C and other languages?

> I think Go and Rust would fit the bill.

Ocaml, and (if you're married to C-like syntax) its new skin Reason,
backed by no smaller behemoth than Facebook.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

Re: [gentoo-user] vulkan development...

2018-05-08 Thread Ian Bloss 
I believe the vulkan sdk provides that

On Tue, May 8, 2018, 7:34 PM Alan Grimes  wrote:

> After playing Rise of The Tombraider using Vulkan on Gentoo I got
> inspired to try to poke with some source code. I downloaded vkQuake from
> github and tried to build it. It couldn't find ...
>
> Uh, where are the headers? What package are they in? =(
>
> --
> Please report bounces from this address to a...@numentics.com
>
> Powers are not rights.
>
>
>

[gentoo-user] vulkan development...

2018-05-08 Thread Alan Grimes 
After playing Rise of The Tombraider using Vulkan on Gentoo I got
inspired to try to poke with some source code. I downloaded vkQuake from
github and tried to build it. It couldn't find ...

Uh, where are the headers? What package are they in? =(

-- 
Please report bounces from this address to a...@numentics.com

Powers are not rights.

Re: [gentoo-user] secure programing language?

2018-05-08 Thread Rich Freeman 
On Tue, May 8, 2018 at 5:41 PM Canek Peláez Valdés  wrote:

> On Tue, May 8, 2018 at 4:33 PM 
wrote:
> >
> > So are there currently any languages (currently in use/supported)
  designed to avoid the problems with C and other languages?
> >
> > Something with strong types and provisions for automatic input
validation beyond typing, i.e. range limitation?
> >
> > Something that compiles, something that doesn't self optimize (math may
be good, but just like encryption the implementation can be
flawed/exploitable due to various errors).  Because you can't validate a
moving target.
> >
> > something that strongly isolates data from code, something that
protects the heap and stack aggressively (other than just os implemented
mechanisms like stack canaries).
> >
> > Any suggestions?  I'm going to be picking up programming again and I'd
greatly prefer spending my time using a language that has security built in
rather than depend on the application programmer adding protections after
the fact.
> >
> > I'll still have to learn C as well,  so I can understand/modify
existing code but I'd like to be as proactive as possible about security
and reliability  in what I write.  And again, something that compiles.  Not
specificly looking at writing web apps per say, though i'd also be
interested in any well secured/proactive languages for some internet/LAN
usage.

> I think Go and Rust would fit the bill.


Ada is the traditional example of this as well.

Most high-level languages avoid a lot of the issues with C since they do
their own memory management/etc.  On the flip side a lot of them are not
statically typed which can cause all kinds of runtime issues.  Languages
like Go/Rust/Ada which are statically typed but also which do their own
memory management are probably the best of all world.  Then again, they can
also be more painful to work with.

I can't rigorously compare them.  I know Rust tends to be intended to be
more suitable for systems programming (leaner/etc), and I believe Go tends
to handle concurrency/etc and seems to be very much in fashion for
general-purpose programming these days.  I'm not sure how either compares
to Ada, which has been around for a long time.

-- 
Rich

Re: [gentoo-user] secure programing language?

2018-05-08 Thread Canek Peláez Valdés 
On Tue, May 8, 2018 at 4:33 PM  wrote:
>
> So are there currently any languages (currently in use/supported)
 designed to avoid the problems with C and other languages?
>
> Something with strong types and provisions for automatic input validation
beyond typing, i.e. range limitation?
>
> Something that compiles, something that doesn't self optimize (math may
be good, but just like encryption the implementation can be
flawed/exploitable due to various errors).  Because you can't validate a
moving target.
>
> something that strongly isolates data from code, something that protects
the heap and stack aggressively (other than just os implemented mechanisms
like stack canaries).
>
> Any suggestions?  I'm going to be picking up programming again and I'd
greatly prefer spending my time using a language that has security built in
rather than depend on the application programmer adding protections after
the fact.
>
> I'll still have to learn C as well,  so I can understand/modify existing
code but I'd like to be as proactive as possible about security and
reliability  in what I write.  And again, something that compiles.  Not
specificly looking at writing web apps per say, though i'd also be
interested in any well secured/proactive languages for some internet/LAN
usage.

I think Go and Rust would fit the bill.

Regards.
--
Dr. Canek Peláez Valdés
Profesor de Carrera Asociado C
Departamento de Matemáticas
Facultad de Ciencias
Universidad Nacional Autónoma de México

[gentoo-user] secure programing language?

2018-05-08 Thread mad.scientist.at.large 
So are there currently any languages (currently in use/supported)  designed to 
avoid the problems with C and other languages?  

Something with strong types and provisions for automatic input validation 
beyond typing, i.e. range limitation?

Something that compiles, something that doesn't self optimize (math may be 
good, but just like encryption the implementation can be flawed/exploitable due 
to various errors).  Because you can't validate a moving target.

something that strongly isolates data from code, something that protects the 
heap and stack aggressively (other than just os implemented mechanisms like 
stack canaries).

Any suggestions?  I'm going to be picking up programming again and I'd greatly 
prefer spending my time using a language that has security built in rather than 
depend on the application programmer adding protections after the fact.

I'll still have to learn C as well,  so I can understand/modify existing code 
but I'd like to be as proactive as possible about security and reliability  in 
what I write.  And again, something that compiles.  Not specificly looking at 
writing web apps per say, though i'd also be interested in any well 
secured/proactive languages for some internet/LAN usage.

mad.scientist.at.large (a good madscientist)
--
Read, Scream, Fight >

Re: [gentoo-user] Re: Spectre-NG

2018-05-08 Thread Rich Freeman 
On Tue, May 8, 2018 at 4:19 AM Martin Vaeth  wrote:

> Rich Freeman  wrote:
> >
> > Higher-level languages will probably become nearly immune to Spectre
just
> > as most are nearly immune to buffer overflows.

> Quite the opposite: Higher-level languages *always* do some checks
> for array-length etc, and it is the _checks_ which are vulnerable.
> You can only make them non-vulnerable by making them horribly slow
> (by omitting speculative execution completely for the corresponding
> conditionals).

Sure, but my point is that you CAN make them non-vulnerable by changing the
compiler.

On the other hand, if somebody manually does a range check in C the only
way to fix it is to either fix the source code (which is about as likely to
work as trying to prevent programmers from create buffer overflows), or use
heuristics to figure out what is going on and apply the fixes
automatically.  That is going to be just as slow, and the compiler might
not be able to catch every situation where it applies.

The compiler doesn't have to guess where the range checks are in a
high-level language because it is the compiler that is doing the range
checks in the first place.

-- 
Rich

Re: [gentoo-user] apache mod_wsgi radicale and passing in an environment variable

2018-05-08 Thread Mick 
On Tuesday, 8 May 2018 00:00:04 BST Bill Kenworthy wrote:
> Hi all,
> 
> how does one set an environment variable for Apache mod_wsgi on gentoo?
> 
> I am using the radicale wsgi module and it requires the config file to
> be passed in from the environment to be set in the environment.  The
> documents recommend something like whats below, but is not specific on
> saying where it is to be set in my configuration.
> 
> |env = RADICALE_CONFIG=/etc/radicale/config|
> 
> BillK

Have you tried using the SetEnv directive?  For example:

=

   ...
   SetEnv RADICALE_CONFIG /etc/radicale/config
   ...

==

should work after you reload the config.
 
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

[gentoo-user] Re: Spectre-NG

2018-05-08 Thread Martin Vaeth 
Rich Freeman  wrote:
>
> Higher-level languages will probably become nearly immune to Spectre just
> as most are nearly immune to buffer overflows.

Quite the opposite: Higher-level languages *always* do some checks
for array-length etc, and it is the _checks_ which are vulnerable.
You can only make them non-vulnerable by making them horribly slow
(by omitting speculative execution completely for the corresponding
conditionals).

The same omission could also be arranged automatically for _every_
C-code (security at the price of a hugh speed cost). I still do
not understand why such an option is not yet implemented in gcc:
AFAIK, none of the current options -mindirect-branch*
-mfunction-return* -fcf-protection=full (though I am not
completely sure about the latter) would protect you automatically
against speculative exection for bound-checking conditional tests.
I am aware that this would cost a lot of speed,
but for certain systems/applications this might be worth.