On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras <hwoar...@gentoo.org> wrote:
> On Fri, Oct 29, 2010 at 12:02:20PM +0000, Jorge Manuel B. S. Vicetto wrote:
>> Hash: SHA1
>> Hi.
>> On 29-10-2010 11:03, Markos Chandras wrote:
>> > Hi
>> >
>> > I don't know how many of you are using these profiles. I would like to
>> > propose a couple of changes
>> >
>> > 1) I want to drop the warning message located on profile.bashrc files
>> > e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc
>> > It is more than obvious what this profile is for so I don't think this
>> > message makes any sense.
>> I've always taken the message about the server profiles not being
>> properly tested as a warning that anyone wanting to run a "secure"
>> server profile should use one of the hardened profiles.
> But isn't that obvious? How is server profiles related to hardened
> anyway? Anyway, this can stay. The rest about GCC and Glibc I think is
> useless

I think there are two nagging things that this thread raises.

Jorge's comment leads me to:

'Anyone wanting to run a secure server profile should use hardened'
tends to imply that the server profile is insecure which is probably
not what you intend to convey to users.  Hardened is likely more
secure (which is all we can really say authoritatively...)  I don't
think saying that *somewhere* is a bad idea.  The profile.bashrc is
likely not the best place however.

>> If so, I'd leave that warning alone until we get enough people working
>> on the server profiles so we can make any promises about it.
> How many? Work on what actually? It is just a profile with minimal use
> flags. There is nothing to work on :-/ I don't understand that. Tell me
> which areas of server profile need more attention so I can understand
> what are you talking about

If it is a profile with minimal use flags why not call it minimal? :)

>> > 2) Furthermore I would like to drop the following use flags from default
>> > IUSE
>> >
>> > -apache2
>> > -ldap
>> >
>> > A minimal server installation does requires neither apache2 nor ldap
>> Although one can install a server without apache or ldap, I'd say the
>> server profile seems the natural choice to have them enabled.
> So you assume that the most common server configuration is for active
> directory or web hosting

I think the values are there as a CYA thing to replace auto-use.  I
think when someone installs LDAP they generally want the ldap use flag
(so optionally LDAP support is compiled into apps.  The same thing is
true of apache.  Now sadly I removed support for auto-use around 2006
because it was a giant mess so instead we have default profile use

>> If we had the statistics for it, we could check how many people have
>> apache installed with that profile vs not having it. As there's nothing
>> preventing one from having USE="-apache2 -ldap" when required and I
>> don't use the server profiles, I don't really have a strong opinion
>> about this.
> Same for USE="apache2 ldap" on make.conf. That is not a valid argument
> :)

1) I don't believe anyone has any clear data on what flags are enabled
or disabled by users.
2) Each of us users the server profile differently.
3) Each of us has a different idea of what is involved with running a server.

It is difficult to take the argument in any strong direction due to
these types of problems (it is an obvious bikeshed..)

I will instead try a different tact.  I think it is advantageous to
reduce the number of default flags.  There is a question of what will
break though; so that is the question I pose to you.

Can I install a machine with the server profile and USE=-ldap, but
still get ldap + pam working?
Can I install a machine with the server profile and USE=-apache, but
still get apache + php working?  apache + rails?
How many packages support each USE flag?
How many of those packages have IUSE defaults for +ldap or +apache already?


>> - --
>> Regards,
>> Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org
>> Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng
>> Version: GnuPG v2.0.16 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> hEhoH25GkoxjEEztxdaQ7TI+fxPRqbAHv6AWYNsTd7C6c0RwgTQa8TwNATvmWdCT
>> tyTge9SWO1lubiwdNUu5AoamZkzyvWibK5hwP6cd/4OWP02aFZ/BYICeL5G3IQ1I
>> YBXwjzf6f6Nyae8/SKCQalU0Zlse1Cx6A58siS2Uqz63DqPglQqhiN10PB4S496y
>> fvA84h8B0FUtexFn8Ho0nFVHh5Lea6qo4YZfhDemjMSio9daPMfcAK63za5M/vq+
>> AEjLOmFuj5yg3hppE+5tqc4R+Qt3mDklRHT/p3tdhMTgw0aXHSA/23NSqdKs7NTK
>> 4w/HJ+k5S5BXUUrb3VjNByO5vOKm7A4ROLBAuDZFgu/dah3A3OwtoolEEooWMHDG
>> Bgo4aRX0cvNGTdVFnUQp7aDO/idi61ONV/G9cqPsl5nmD0K/1JhujLmR9oU26ctk
>> sEv/ZxAbUWBYiPx08y6u7lm2g2uUnC0VmJS6rLeHKpp501I8ulTuNRlc1U8EvmPn
>> aQHLG+6IvBpifFml3nDIG64LwsXqkEmwc67vcHvYRJqyzcxyHkORl2qTH19zsV1B
>> PAa9bN9jRYssdLvDLdsrBc1S3LSGftWihu5ITwkdf3DK6uo7UUViSeesiESsP0sa
>> +maI98w1ehWNX2I8RZ7l
>> =fHNt
>> -----END PGP SIGNATURE-----
> --
> Markos Chandras (hwoarang)
> Gentoo Linux Developer
> Web: http://hwoarang.silverarrow.org
> Key ID: 441AC410
> Key FP: AAD0 8591 E3CD 445D 6411  3477 F7F7 1E8E 441A C410

Reply via email to