begin quote On Thu, 30 Oct 2003 00:35:37 +0100 Vano D <[EMAIL PROTECTED]> wrote:
> > Another alternative is to use a staging machine to build binaries, > > then simply untar the .tbz2 files, instead of using portage to do > > it.(evil solution actually ;) > > > After that, some manual pruning should get the things in order. > > Yeah really evil. I guess this is what some people do. But I would > prefer to have portage do the stuff instead of getting worries that I > might have forgotten to fix a file or something.. Yes, perhaps. But one thing that struck me is how build dependencies and run dependencies are different, and one can fairly simply modify a binary package to not include the things you don't want (or portage to remove it before checksumming/merge-ing ) And therefore still have portage do its stuff, but no... real portage. Though, you still need python and the portage software, even if you might not need the tree. > > Though, for a server you don't gain anything in security by removing > > compilers and development tools. perhaps in complexity and size, > > though. > > Well. Regarding security that is a bit relative. You do gain in the > sense that the cracker has one less tool/option at hand and hence you > gain a little bit more of the higher ground against the attacker. The > less options/possibilites the cracker has the harder (even if its only > a little bit) it gets to penetrate (although not impossible of > course). well, sense in this case is purely relative. Checking the honeypot project and dissection competitions will give you a further sense on what the crackers actually do. The interesting one was compiled against a slackware 2.0 system , and statically linked there (using gcc 2.7 , I think ) To be imported and run on the victim machine.. Just because that makes for a smaller footprint on the actual payload. > Also as you state it is nice to have a simple clean lean system with a > small footprint. yeah, this would be interesting for installing Gentoo on that 240 Mb drive .... ;) > I really don't know how valid my assumptions are, but I am willing to > give it a shot to see what comes out of a de-Gentooizable Gentoo ;) See it as this: at least you'll learn something. That means its a pure gain from my perspective. :) //Spider -- begin .signature This is a .signature virus! Please copy me into your .signature! See Microsoft KB Article Q265230 for more information. end
pgp00000.pgp
Description: PGP signature
