On Fri, Oct 29, 2010 at 09:11:33AM -0700, Alec Warner wrote:
> 'Anyone wanting to run a secure server profile should use hardened'
> tends to imply that the server profile is insecure which is probably
> not what you intend to convey to users.  Hardened is likely more
> secure (which is all we can really say authoritatively...)  I don't
> think saying that *somewhere* is a bad idea.  The profile.bashrc is
> likely not the best place however.
I understand your concern and why someone might get confused about the
server/hardened thingie however I think that polluting this profile 
in this way is not acceptable. 
Furthermore the message about glibc-2.4 and gcc-4.1 looks rather obsolete.
At least this part has to be removed/changed
> 
> >> If so, I'd leave that warning alone until we get enough people working
> >> on the server profiles so we can make any promises about it.
> > How many? Work on what actually? It is just a profile with minimal use
> > flags. There is nothing to work on :-/ I don't understand that. Tell me
> > which areas of server profile need more attention so I can understand
> > what are you talking about
> 
> If it is a profile with minimal use flags why not call it minimal? :)
Cause 'server' is minimal by default.
> 
> >>
> >> If we had the statistics for it, we could check how many people have
> >> apache installed with that profile vs not having it. As there's nothing
> >> preventing one from having USE="-apache2 -ldap" when required and I
> >> don't use the server profiles, I don't really have a strong opinion
> >> about this.
> > Same for USE="apache2 ldap" on make.conf. That is not a valid argument
> > :)
> 
> 1) I don't believe anyone has any clear data on what flags are enabled
> or disabled by users.
> 2) Each of us users the server profile differently.
> 3) Each of us has a different idea of what is involved with running a server.
> 
> It is difficult to take the argument in any strong direction due to
> these types of problems (it is an obvious bikeshed..)
> 
> I will instead try a different tact.  I think it is advantageous to
> reduce the number of default flags.  There is a question of what will
> break though; so that is the question I pose to you.
> 
> Can I install a machine with the server profile and USE=-ldap, but
> still get ldap + pam working?
> Can I install a machine with the server profile and USE=-apache, but
> still get apache + php working?  apache + rails?
> How many packages support each USE flag?
> How many of those packages have IUSE defaults for +ldap or +apache already?
First of all, relying on specific package use flag choices is wrong by
default. What if these package change their default use flags some day?
Are you sure you want to engineer your profiles' behavior based on 
specific packages?
Using these flags by default you imply that the server profile is
optimised for web hosting/active directory usage. So why don't you add
ipv6, snmp, vhosts by default too, to include all those firewall/router
hosts running Gentoo? The server profile *imho* should have 
as few as possible USE flags. Users who use this profile should be well
educated on how to add more USE flags if needed. 

-- 
Markos Chandras (hwoarang)
Gentoo Linux Developer
Web: http://hwoarang.silverarrow.org
Key ID: 441AC410
Key FP: AAD0 8591 E3CD 445D 6411  3477 F7F7 1E8E 441A C410

Attachment: pgpFeSJRtjh2I.pgp
Description: PGP signature

Reply via email to