On 08/18/2011 05:53 AM, Diego Elio Pettenò wrote:
> Il giorno gio, 18/08/2011 alle 05.46 -0400, Anthony G. Basile ha
> scritto:
>>
>> What alternative are you proposing to mirror://gentoo/ if upstream
>> doesn't provide a tarball, eg with large patchsets the maintainer
oo/ if upstream
doesn't provide a tarball, eg with large patchsets the maintainer
constructs? Anticipating your answer might be "keep them in your dev
space", then what would be the deprecation policy for distfiles that are
no longer used by ebuilds? If foresee a tension between keep
be to write a howto and show the user how to manually convert some
typical binaries. There are only a handful that would be targeted.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
t;> > So no, not something via pkg_postinst().
> Please don't.
>
Why would this be bad?
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
On 08/02/2011 10:31 AM, Ciaran McCreesh wrote:
> On Tue, 02 Aug 2011 10:28:58 -0400
> "Anthony G. Basile" wrote:
>> I prefer capsetting in the PMS itself, with a nice clean function
>> which auto detects all the necessary conditions and transparently
>> preserves
On 08/02/2011 03:08 AM, Michał Górny wrote:
> On Sun, 31 Jul 2011 16:00:40 -0400
> "Anthony G. Basile" wrote:
>
>> On 07/31/2011 03:46 PM, Nirbheek Chauhan wrote:
>>> On Sun, Jul 31, 2011 at 8:13 PM, Anthony G. Basile
>>> wrote:
>>>> Hi
On 07/31/2011 03:46 PM, Nirbheek Chauhan wrote:
> On Sun, Jul 31, 2011 at 8:13 PM, Anthony G. Basile
> wrote:
>> Hi everyone,
>>
>> A couple of days ago, bonsaikitten (Patrick), kerframil (Kerin Millar)
>> and myself were talking about other distros moving away f
area and that there was a consensus to include functions to set caps
within portage [2]. I don't know what, if anything has been done since
then, but I'd like to lend my support.
Ref
[1] http://lwn.net/Articles/420969/
[2] http://www.gossamer-threads.com/lists/gentoo/dev/226948
--
Anthony
On 07/16/2011 12:55 PM, "Paweł Hajdan, Jr." wrote:
> On 7/15/11 3:51 AM, Anthony G. Basile wrote:
>> So, here's the glitch. For example, in dev-lang/mono, following the
>> above plan, we would drop the "hardened" flag, remove
>>
>>DEPEND
MPROTECT on the mono binary."
sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i
"${S}"/runtime/mono-wrapper.in
But this assumes that paxctl is on the user's system which is not
guaranteed unless the users has emerged hardened-sources (which will
depend on paxctl). scanelf would have to be the replacement in such
cases because it is guaranteed to be there by the profiles.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
The hardened team will work with maintainers to clean up the flags.
Thanks, and we await comments.
--The hardened team.
Ref
[1]
http://archives.gentoo.org/gentoo-hardened/msg_040568ebe0a2f55c76820cfdcf8a0ff9.xml
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
to feel good.
>
Hi Patrick,
I started the madness :) But it wasn't because I didn't prefer openrc
over all other init systems, but because I wanted to create minimal
chroot environments without any init system whatsoever. In addition to
opening up the choice for our users, this also av
On 06/18/2011 07:06 PM, Chris PeBenito wrote:
> On 6/18/2011 1:16 PM, Anthony G. Basile wrote:
>> sec-policy/selinux-policykit masked for removal, bug #371441
>>
>> There are no package depending on it.
>
> Is sys-auth/polkit going away? Thats what its for.
>
Hi C
sec-policy/selinux-policykit masked for removal, bug #371441
There are no package depending on it.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
On 05/23/2011 12:37 PM, Michał Górny wrote:
> On Mon, 23 May 2011 16:48:15 +0200
> Ulrich Mueller wrote:
>
>>>>>>> On Mon, 23 May 2011, Anthony G Basile wrote:
>>> I was looking at use.desc/use.local.desc to see if the "server"
>>> fla
On 05/23/2011 10:48 AM, Ulrich Mueller wrote:
>>>>>> On Mon, 23 May 2011, Anthony G Basile wrote:
>> I was looking at use.desc/use.local.desc to see if the "server" flag is
>> global or not. I was surprised to see that it is not. There are 26
>> pa
name (although I'm going to test in a
minute on an overlay :)
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
On 05/06/2011 03:29 AM, "Paweł Hajdan, Jr." wrote:
> On 5/5/11 10:45 PM, Anthony G. Basile wrote:
>> We simplified our profiles recently (last Oct-Nov 2010)
> You're referring to
> http://archives.gentoo.org/gentoo-dev/msg_d847f6258a398052deecc9786c45c604.xml,
&g
thing to be careful of is that there is a lot of cruft under
the hardened profiles, some really old deprecated material that I have
not yet cleared out. You really don't want to use one of that. Just
watch out for any warning about deprecated profiles.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
only
testing. In both cases a user who thinks they 'know what they're doing'
can locally unmask, at their own risk.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
On 03/13/2011 06:01 PM, Mike Frysinger wrote:
> On Sunday, March 13, 2011 17:38:29 Anthony G. Basile wrote:
>> On 03/13/2011 04:19 PM, Mike Frysinger wrote:
>>> maybe have it `elog` only when [[ $(uname -r) == *-grsec* ]]
>> blueness@yellowness ~ $ uname -r
>> 2.6.37
son. for people who dont use grsec/PaX, they
> probably could care less and never see this output. for people who do, they
> probably do want to see this.
>
> maybe have it `elog` only when [[ $(uname -r) == *-grsec* ]]
> -mike
blueness@yellowness ~ $ uname -r
2.6.37-hardened-r5
so you need == *-hardened-*
--
Anthony G. Basile, Ph.D.
Gentoo Developer
pretty :)
--
Anthony G. Basile, Ph.D.
Gentoo Developer
;
I don't know of any reason and all my hardened servers have it, so
yeah, its a good idea. Let me do some more investigating to make sure
I'm not missing anything and then I'll add it.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
th sys-kernel/hardened-sources, we also stabilize sys-apps/gradm
because it is the userland tool for setting up RBAC in the hardened
kernel. We often need to stabilize the two at the same time.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 01/20/2011 01:34 PM, Anthony G. Basile wrote:
> On 01/20/2011 01:23 AM, "Paweł Hajdan, Jr." wrote:
>> On 1/20/11 1:50 AM, Diego Elio Pettenò wrote:
>>> If you produced the file yourself, and it doesn't matter if the file is
>>> reproducible (unless it i
before.
> Storing distfiles in public_html is not a perfect solution either. If
> the developer retires, what do we do with the files?
>
There is another problem:
grep mirror /usr/portage/eclass/* | sed -e 's/:.*$//' | sort | uniq
shows 39 eclasses which refer to mirror://
--
Anthony G. Basile, Ph.D.
Gentoo Developer
y little maintenance.
>
> net-misc/tor
> A bump here and there (especially security fixes). Upstream really
> nice, there were user requests for beta ebuilds which I have no time to
> provide.
>
> V-Li
>
I'll take net-mis/tor. I know the upstream people.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 11/10/2010 05:44 PM, Anthony G. Basile wrote:
> On 11/10/2010 04:42 PM, Matthew Summers wrote:
>> On Wed, Nov 10, 2010 at 3:39 PM, Matthew Summers
>> wrote:
>>
>>> On Wed, Nov 10, 2010 at 3:22 PM, Anthony G. Basile
> wrote:
>>>> On 11/10/2010 10:29 A
On 11/10/2010 04:42 PM, Matthew Summers wrote:
> On Wed, Nov 10, 2010 at 3:39 PM, Matthew Summers
> wrote:
>
>> On Wed, Nov 10, 2010 at 3:22 PM, Anthony G. Basile
wrote:
>>
>>> On 11/10/2010 10:29 AM, Petteri Räty wrote:
>>>> On 11/10/2010 02:42 PM, Peter
On 11/10/2010 10:29 AM, Petteri Räty wrote:
> On 11/10/2010 02:42 PM, Peter Volkov wrote:
>> В Втр, 09/11/2010 в 18:20 -0500, Anthony G. Basile пишет:
>>> Title: Restructuring of Hardened profiles
>> [...]
>>> Display-If-Profile: hardened/linux
>>
>> Is
On 11/10/2010 08:30 AM, Christian Faulhammer wrote:
> Hi,
>
> "Anthony G. Basile" :
>> 1) authorship - I've added another line for the entire hardened team.
>> I've kept my name in there because I'm the point person for the work.
> That was my
On 11/09/2010 11:08 PM, Duncan wrote:
> Christian Faulhammer posted on Tue, 09 Nov 2010 23:51:45 +0100 as
> excerpted:
>
>> Hi,
>>
>> "Anthony G. Basile" :
>>
>>> We will change the profiles one arch at a time, starting with ia64, and
>>&
Hi everyone,
I'd like to post the following news item about the restructuring of the
hardened profiles. I'm passing it by the community for critical review.
Anthony G. Basile (blueness)
--
Anthony G. Basile, Ph.D.
Gentoo Developer
Title: Restructuring of Hardened profiles
Author:
On 11/06/2010 11:45 AM, Alex Alexander wrote:
> On 6 Nov 2010, at 16:37, "Anthony G. Basile" wrote:
>
>>
>> Hi everyone,
>>
>> The hardened team is planning to restructure its profiles so that there
>> is no version. Thus on a amd64 system,
On 11/06/2010 10:46 AM, Theo Chatzimichos wrote:
> On Saturday 06 November 2010 16:37:41 Anthony G. Basile wrote:
>> Hi everyone,
>>
>> The hardened team is planning to restructure its profiles so that there
>> is no version. Thus on a amd64 system,
>>
>&
We're planning on starting with the minor arches and then moving onto
x86 and amd64. Since this has the potential to impact all profiles
(given the complex inheritance structure), we'd like any feedback or
caveats before we proceed.
Anthony G. Basile (blueness)
and the hardened team
--
abling this in
> profiles/default/linux/ for all linux systems.
> -mike
>
Good idea. Is this in response to the $ORIGIN root exploit in glibc?
(bug #341755).
- --
Anthony G. Basile, Ph.D.
Gentoo Developer
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using Gn
hat the
GDP has
> to worry about. newnet will still be there, but people will have to
manually
> opt out of oldnet and opt in to newnet. i dont think we need to worry
about
> documenting it in the handbook for now ... the bundled files with
openrc are
> sufficient.
> -mike
; It is small and simple, but the disadvantage of it is that you can't
> stop/start a single interface.
>
> William
>
Why can't we keep both? There are strong advantages/disadvantages
either way and there are users invested in both new/oldnet. I know
this is more work on d
freedesktop btw.
>
> lu
>
Agreed. For example, if one does cluster management with pacemaker
or heartbeat you need to stick to more traditional shell based init
scripts. Except for the lack of manpower, it would be nice to offer
our users different flavors of system startups, but dropping
es the
"otherwise" work. If we have herds listed before maintainers, do you
still assign to the first maintainer? In other words, do you only
default to the first herd if there are no maintainers listed at all?
- --
Anthony G. Basile, Ph.D.
Gentoo Developer
-BEGIN PGP SIGNATURE
rdened. They are not two
separate projects. The only reason for the two lists is to help keep
the issues straight: kernel issues to hardened-kernel and
userland/toolchain issues to hardened.
[1] http://dev.gentoo.org/~blueness/hardened-sources/
- --
Anthony G. Basile, Ph.D.
Gentoo Devel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/04/10 23:32, Nirbheek Chauhan wrote:
> On Mon, Jul 5, 2010 at 7:53 AM, Richard Freeman wrote:
>> On 07/04/2010 04:09 PM, Jory A. Pratt wrote:
>>>
>>> For those of you not on the #gentoo-dev channel, I just announced I am
>>> gonna be looking at
501 - 544 of 544 matches
Mail list logo
