Re: [gentoo-dev] Changes in server profiles
Patch applied but only for amd64 profile. @x86: feel free to adjust your profile too. -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpSlGrsGoXJW.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
Uni kept me quite busy this week so I will commit the patch this Sunday. -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpKeFPUFzFmP.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Tue, Nov 02, 2010 at 10:23:36PM -0100, Jorge Manuel B. S. Vicetto wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 02-11-2010 19:30, Markos Chandras wrote: > - - ewarn "This profile has not been tested thoroughly and is not > considered to be" > - - ewarn "a supported server profile at this time. For a supported > server" > - - ewarn "profile, please check the Hardened project > (http://hardened.gentoo.org)." > > As was stated a few times in this thread, simply dropping this ewarn > without adding a warning somewhere that anyone looking for a production > server profile should be looking at hardened, doesn't seem prudent to me. > > - -- > Regards, > > Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org > Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJM0J13AAoJEC8ZTXQF1qEPrEAP/3GNLyH67SLszchOL1wjvctE > xEZ+yCDrTexXmc1A4YzqYKjVicTXgDdmIPThwD274YTGCfOqCzgOalcTqfHEu6X3 > W3044m/YOHi1BeNpNXnLqdyleVFKtDs8YvsZkawUFIgyjMOQ0sKzetyORkk4QE4N > 5kr6c4eGN36uIpe2P7viufgvgxAaJwP4k2xsVmVKOpMzGkGLmq8WNeeGTZZ4Jw9O > LPD70gI+QBtgYYzqFMB5XMxA2ia4kYJibCrrzC9sqnRpfEStXXXSAWcjUn8aslOw > +h4ITENwAqY/exRDLpTHXWpU5SzLz+UU9Y1BG8hKUtKEl++iVjFMn6GePRWjJHA8 > mCmkRJ0ku4RscI73qhKjQQdxPEttfvvyfnaS5JdznJMJ/0MyvWV1MMV+j9eKprQq > rAnRAZPbe1slh8Egnj2Cd4lik2L9ek3hAyLu0LEvW47IEJyi8LF5Z7ar9hN+ZJw5 > IwV22/PYc5g/2Ukl+InHWXjtGrNWx7k3KD5D1O7pwkVnGo5ZRvj0AIgM3u7LWLBb > llIFzf1boE6gFen2WgW+GvKngFtX4c8TqBvMLEBs17S3kESSEIzeqCBCuYqAVMEX > vXO/En3NwlyiZ4bhfOOSgo3eQvclJKM6yCK6gDb8rfZFUptyIicQF1AkyFQw7mjN > Y0UY+STLK4I0oW7bK3Sq > =a9yz > -END PGP SIGNATURE- > I plan to commit my latest patch on Sunday night. Thanks -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpq2uteppZyT.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Tue, Nov 02, 2010 at 10:23:36PM -0100, Jorge Manuel B. S. Vicetto wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 02-11-2010 19:30, Markos Chandras wrote: > - - ewarn "This profile has not been tested thoroughly and is not > considered to be" > - - ewarn "a supported server profile at this time. For a supported > server" > - - ewarn "profile, please check the Hardened project > (http://hardened.gentoo.org)." > > As was stated a few times in this thread, simply dropping this ewarn > without adding a warning somewhere that anyone looking for a production > server profile should be looking at hardened, doesn't seem prudent to me. > Hmm ok. Updated now > - -- > Regards, > > Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org > Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJM0J13AAoJEC8ZTXQF1qEPrEAP/3GNLyH67SLszchOL1wjvctE > xEZ+yCDrTexXmc1A4YzqYKjVicTXgDdmIPThwD274YTGCfOqCzgOalcTqfHEu6X3 > W3044m/YOHi1BeNpNXnLqdyleVFKtDs8YvsZkawUFIgyjMOQ0sKzetyORkk4QE4N > 5kr6c4eGN36uIpe2P7viufgvgxAaJwP4k2xsVmVKOpMzGkGLmq8WNeeGTZZ4Jw9O > LPD70gI+QBtgYYzqFMB5XMxA2ia4kYJibCrrzC9sqnRpfEStXXXSAWcjUn8aslOw > +h4ITENwAqY/exRDLpTHXWpU5SzLz+UU9Y1BG8hKUtKEl++iVjFMn6GePRWjJHA8 > mCmkRJ0ku4RscI73qhKjQQdxPEttfvvyfnaS5JdznJMJ/0MyvWV1MMV+j9eKprQq > rAnRAZPbe1slh8Egnj2Cd4lik2L9ek3hAyLu0LEvW47IEJyi8LF5Z7ar9hN+ZJw5 > IwV22/PYc5g/2Ukl+InHWXjtGrNWx7k3KD5D1O7pwkVnGo5ZRvj0AIgM3u7LWLBb > llIFzf1boE6gFen2WgW+GvKngFtX4c8TqBvMLEBs17S3kESSEIzeqCBCuYqAVMEX > vXO/En3NwlyiZ4bhfOOSgo3eQvclJKM6yCK6gDb8rfZFUptyIicQF1AkyFQw7mjN > Y0UY+STLK4I0oW7bK3Sq > =a9yz > -END PGP SIGNATURE- > -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 Index: default/linux/amd64/10.0/server/profile.bashrc === RCS file: /var/cvsroot/gentoo-x86/profiles/default/linux/amd64/10.0/server/profile.bashrc,v retrieving revision 1.1 diff -u -b -B -u -r1.1 profile.bashrc --- default/linux/amd64/10.0/server/profile.bashrc 6 Aug 2009 06:33:39 - 1.1 +++ default/linux/amd64/10.0/server/profile.bashrc 2 Nov 2010 23:34:02 - @@ -6,16 +6,12 @@ then if [[ ! "${I_KNOW_WHAT_I_AM_DOING}" == "yes" ]] then - ewarn "This profile has not been tested thoroughly and is not considered to be" - ewarn "a supported server profile at this time. For a supported server" - ewarn "profile, please check the Hardened project (http://hardened.gentoo.org)." echo ewarn "This profile is merely a convenience for people who require a more" ewarn "minimal profile, yet are unable to use hardened due to restrictions in" - ewarn "the software being used on the server. This profile should also be used" - ewarn "if you require GCC 4.1 or Glibc 2.4 support. If you don't know if this" - ewarn "applies to you, then it doesn't and you should probably be using" - ewarn "Hardened, instead." + ewarn "the software being used on the server. If you seek for a secure" + ewarn "production server profile, please check the Hardened project" + ewarn "(http://hardened.gentoo.org)" echo fi fi Index: targets/server/make.defaults === RCS file: /var/cvsroot/gentoo-x86/profiles/targets/server/make.defaults,v retrieving revision 1.2 diff -u -b -B -u -r1.2 make.defaults --- targets/server/make.defaults17 Aug 2009 18:32:10 - 1.2 +++ targets/server/make.defaults2 Nov 2010 23:34:03 - @@ -2,4 +2,4 @@ # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/profiles/targets/server/make.defaults,v 1.2 2009/08/17 18:32:10 ssuominen Exp $ -USE="apache2 ldap mysql snmp truetype xml" +USE="-perl -python snmp truetype xml" pgp3cJ4oG4Xgo.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02-11-2010 19:30, Markos Chandras wrote: - - ewarn "This profile has not been tested thoroughly and is not considered to be" - - ewarn "a supported server profile at this time. For a supported server" - - ewarn "profile, please check the Hardened project (http://hardened.gentoo.org)." As was stated a few times in this thread, simply dropping this ewarn without adding a warning somewhere that anyone looking for a production server profile should be looking at hardened, doesn't seem prudent to me. - -- Regards, Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJM0J13AAoJEC8ZTXQF1qEPrEAP/3GNLyH67SLszchOL1wjvctE xEZ+yCDrTexXmc1A4YzqYKjVicTXgDdmIPThwD274YTGCfOqCzgOalcTqfHEu6X3 W3044m/YOHi1BeNpNXnLqdyleVFKtDs8YvsZkawUFIgyjMOQ0sKzetyORkk4QE4N 5kr6c4eGN36uIpe2P7viufgvgxAaJwP4k2xsVmVKOpMzGkGLmq8WNeeGTZZ4Jw9O LPD70gI+QBtgYYzqFMB5XMxA2ia4kYJibCrrzC9sqnRpfEStXXXSAWcjUn8aslOw +h4ITENwAqY/exRDLpTHXWpU5SzLz+UU9Y1BG8hKUtKEl++iVjFMn6GePRWjJHA8 mCmkRJ0ku4RscI73qhKjQQdxPEttfvvyfnaS5JdznJMJ/0MyvWV1MMV+j9eKprQq rAnRAZPbe1slh8Egnj2Cd4lik2L9ek3hAyLu0LEvW47IEJyi8LF5Z7ar9hN+ZJw5 IwV22/PYc5g/2Ukl+InHWXjtGrNWx7k3KD5D1O7pwkVnGo5ZRvj0AIgM3u7LWLBb llIFzf1boE6gFen2WgW+GvKngFtX4c8TqBvMLEBs17S3kESSEIzeqCBCuYqAVMEX vXO/En3NwlyiZ4bhfOOSgo3eQvclJKM6yCK6gDb8rfZFUptyIicQF1AkyFQw7mjN Y0UY+STLK4I0oW7bK3Sq =a9yz -END PGP SIGNATURE-
Re: [gentoo-dev] Changes in server profiles
On Mon, Nov 01, 2010 at 08:41:34PM +0300, Peter Volkov wrote: > В Вск, 31/10/2010 в 16:38 +0200, Alex Alexander пишет: > > On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: > > > On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: > > > > Isn't this essentially what the default profile is? Basically server is > > > > just default + USE="apache2 ldap mysql snmp truetype xml". > > > Well it shouldn't be like that. And if the default profile is pretty > > > much the same as the server one, then please consider removing the > > > server profile as it makes no sense then > > > > Please don't. The fact that there are only a few changes doesn't make it > > useless. Also, you'd be forcing all users currently using the profile to > > migrate without any real reason. > > But what is the target group of this profile? It sets only 6 USE flags > that are really useless on half of servers (e.g. VPN/mail server). I'd > better set only -perl -python there to make servers less dependent on > python/perl updaters and decrease rebuilds for servers. Also it's good > idea to make them hardened only as hardened works very well for > servers. > > -- > Peter. > > Attached you may find my final proposal for server profiles. -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 Index: default/linux/amd64/10.0/server/profile.bashrc === RCS file: /var/cvsroot/gentoo-x86/profiles/default/linux/amd64/10.0/server/profile.bashrc,v retrieving revision 1.1 diff -u -b -B -u -r1.1 profile.bashrc --- default/linux/amd64/10.0/server/profile.bashrc 6 Aug 2009 06:33:39 - 1.1 +++ default/linux/amd64/10.0/server/profile.bashrc 2 Nov 2010 20:28:19 - @@ -6,16 +6,10 @@ then if [[ ! "${I_KNOW_WHAT_I_AM_DOING}" == "yes" ]] then - ewarn "This profile has not been tested thoroughly and is not considered to be" - ewarn "a supported server profile at this time. For a supported server" - ewarn "profile, please check the Hardened project (http://hardened.gentoo.org)." echo ewarn "This profile is merely a convenience for people who require a more" ewarn "minimal profile, yet are unable to use hardened due to restrictions in" - ewarn "the software being used on the server. This profile should also be used" - ewarn "if you require GCC 4.1 or Glibc 2.4 support. If you don't know if this" - ewarn "applies to you, then it doesn't and you should probably be using" - ewarn "Hardened, instead." + ewarn "the software being used on the server." echo fi fi Index: targets/server/make.defaults === RCS file: /var/cvsroot/gentoo-x86/profiles/targets/server/make.defaults,v retrieving revision 1.2 diff -u -b -B -u -r1.2 make.defaults --- targets/server/make.defaults17 Aug 2009 18:32:10 - 1.2 +++ targets/server/make.defaults2 Nov 2010 20:28:20 - @@ -2,4 +2,4 @@ # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/profiles/targets/server/make.defaults,v 1.2 2009/08/17 18:32:10 ssuominen Exp $ -USE="apache2 ldap mysql snmp truetype xml" +USE="-perl -python snmp truetype xml" pgpMEDQEFGMJx.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Mon, Nov 01, 2010 at 08:41:34PM +0300, Peter Volkov wrote: > В Вск, 31/10/2010 в 16:38 +0200, Alex Alexander пишет: > > On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: > > > On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: > > > > Isn't this essentially what the default profile is? Basically server is > > > > just default + USE="apache2 ldap mysql snmp truetype xml". > > > Well it shouldn't be like that. And if the default profile is pretty > > > much the same as the server one, then please consider removing the > > > server profile as it makes no sense then > > > > Please don't. The fact that there are only a few changes doesn't make it > > useless. Also, you'd be forcing all users currently using the profile to > > migrate without any real reason. > > But what is the target group of this profile? It sets only 6 USE flags > that are really useless on half of servers (e.g. VPN/mail server). I'd > better set only -perl -python there to make servers less dependent on > python/perl updaters and decrease rebuilds for servers. Also it's good > idea to make them hardened only as hardened works very well for > servers. > > -- > Peter. > > Errr no. There are also home based fileservers, media servers, routers, radio servers blah blah blah. Not everyone needs the hardened toolchain/kernel/security/etc. The target group are lightweight servers for home or SOHO usage, file sharing, nfs, etc. I maintain such a server group so I am talking based on personal experience. As I said before server usage is not always security oriented. Yes, perhaps using -python/-perl might be good. -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpAVjdhSzEuz.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
В Вск, 31/10/2010 в 16:38 +0200, Alex Alexander пишет: > On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: > > On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: > > > Isn't this essentially what the default profile is? Basically server is > > > just default + USE="apache2 ldap mysql snmp truetype xml". > > Well it shouldn't be like that. And if the default profile is pretty > > much the same as the server one, then please consider removing the > > server profile as it makes no sense then > > Please don't. The fact that there are only a few changes doesn't make it > useless. Also, you'd be forcing all users currently using the profile to > migrate without any real reason. But what is the target group of this profile? It sets only 6 USE flags that are really useless on half of servers (e.g. VPN/mail server). I'd better set only -perl -python there to make servers less dependent on python/perl updaters and decrease rebuilds for servers. Also it's good idea to make them hardened only as hardened works very well for servers. -- Peter.
Re: [gentoo-dev] Changes in server profiles
On Sun, Oct 31, 2010 at 12:47:32PM -0700, Alec Warner wrote: > On Sun, Oct 31, 2010 at 7:38 AM, Alex Alexander wrote: > > On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: > >> On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: > >> > On 10/30/2010 08:10 AM, Thomas Sachau wrote: > >> > > If i remember it right, the server profile was created for those > >> > > people, who only want a minimum > >> > > amount of default profile enabled USE flags (so no desktop profile > >> > > because of that), but on the > >> > > other side dont want to do the additional work/checks/reading for > >> > > hardened profiles (which have much > >> > > less profile enabled USE flags, but also have the special gcc, glibc > >> > > and Kernel), basicly a profile, > >> > > which does the same as hardened profile without the specific hardened > >> > > bits. > >> > > > >> > > > >> > > >> > Isn't this essentially what the default profile is? Basically server is > >> > just default + USE="apache2 ldap mysql snmp truetype xml". > >> Well it shouldn't be like that. And if the default profile is pretty > >> much the same as the server one, then please consider removing the > >> server profile as it makes no sense then > > > > Please don't. The fact that there are only a few changes doesn't make it > > useless. Also, you'd be forcing all users currently using the profile to > > migrate without any real reason. > > We don't really delete profiles (maybe once every few years...) We > could opt to mark the server target deprecated and not update it > anymore. > > -A > > > > > -- > > Alex Alexander | wired > > Gentoo Linux Developer | Council / Qt / Chromium / more > > www.linuxized.com > > > I did not literally mean what I said. My intention is to make server profiles useful. They are not equivalent to default profile ( at least they shouldn't). I see that this discussion is moving to dead-end so I will to what I suggested at least at the amd64 profile 1) drop apache2, ldap use flags 2) Adjust warning message to reflect reallity in 72 hours --- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgprKQlvC9w8x.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Sun, Oct 31, 2010 at 7:38 AM, Alex Alexander wrote: > On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: >> On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: >> > On 10/30/2010 08:10 AM, Thomas Sachau wrote: >> > > If i remember it right, the server profile was created for those people, >> > > who only want a minimum >> > > amount of default profile enabled USE flags (so no desktop profile >> > > because of that), but on the >> > > other side dont want to do the additional work/checks/reading for >> > > hardened profiles (which have much >> > > less profile enabled USE flags, but also have the special gcc, glibc and >> > > Kernel), basicly a profile, >> > > which does the same as hardened profile without the specific hardened >> > > bits. >> > > >> > > >> > >> > Isn't this essentially what the default profile is? Basically server is >> > just default + USE="apache2 ldap mysql snmp truetype xml". >> Well it shouldn't be like that. And if the default profile is pretty >> much the same as the server one, then please consider removing the >> server profile as it makes no sense then > > Please don't. The fact that there are only a few changes doesn't make it > useless. Also, you'd be forcing all users currently using the profile to > migrate without any real reason. We don't really delete profiles (maybe once every few years...) We could opt to mark the server target deprecated and not update it anymore. -A > > -- > Alex Alexander | wired > Gentoo Linux Developer | Council / Qt / Chromium / more > www.linuxized.com >
Re: [gentoo-dev] Changes in server profiles
On Sun, Oct 31, 2010 at 04:38:09PM +0200, Alex Alexander wrote: > On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: > > On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: > > > On 10/30/2010 08:10 AM, Thomas Sachau wrote: > > > > If i remember it right, the server profile was created for those > > > > people, who only want a minimum > > > > amount of default profile enabled USE flags (so no desktop profile > > > > because of that), but on the > > > > other side dont want to do the additional work/checks/reading for > > > > hardened profiles (which have much > > > > less profile enabled USE flags, but also have the special gcc, glibc > > > > and Kernel), basicly a profile, > > > > which does the same as hardened profile without the specific hardened > > > > bits. > > > > > > > > > > > > > > Isn't this essentially what the default profile is? Basically server is > > > just default + USE="apache2 ldap mysql snmp truetype xml". > > Well it shouldn't be like that. And if the default profile is pretty > > much the same as the server one, then please consider removing the > > server profile as it makes no sense then > > Please don't. The fact that there are only a few changes doesn't make it > useless. Also, you'd be forcing all users currently using the profile to > migrate without any real reason. > > -- > Alex Alexander | wired > Gentoo Linux Developer | Council / Qt / Chromium / more > www.linuxized.com You are missing the point here. My intention is to make server profiles more "generic" for server usage and not optimised for ldap/web hosting services -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpg7iqQO6kPd.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: > On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: > > On 10/30/2010 08:10 AM, Thomas Sachau wrote: > > > If i remember it right, the server profile was created for those people, > > > who only want a minimum > > > amount of default profile enabled USE flags (so no desktop profile > > > because of that), but on the > > > other side dont want to do the additional work/checks/reading for > > > hardened profiles (which have much > > > less profile enabled USE flags, but also have the special gcc, glibc and > > > Kernel), basicly a profile, > > > which does the same as hardened profile without the specific hardened > > > bits. > > > > > > > > > > Isn't this essentially what the default profile is? Basically server is > > just default + USE="apache2 ldap mysql snmp truetype xml". > Well it shouldn't be like that. And if the default profile is pretty > much the same as the server one, then please consider removing the > server profile as it makes no sense then Please don't. The fact that there are only a few changes doesn't make it useless. Also, you'd be forcing all users currently using the profile to migrate without any real reason. -- Alex Alexander | wired Gentoo Linux Developer | Council / Qt / Chromium / more www.linuxized.com pgp22L3Od8mYh.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: > On 10/30/2010 08:10 AM, Thomas Sachau wrote: > > If i remember it right, the server profile was created for those people, > > who only want a minimum > > amount of default profile enabled USE flags (so no desktop profile because > > of that), but on the > > other side dont want to do the additional work/checks/reading for hardened > > profiles (which have much > > less profile enabled USE flags, but also have the special gcc, glibc and > > Kernel), basicly a profile, > > which does the same as hardened profile without the specific hardened bits. > > > > > > Isn't this essentially what the default profile is? Basically server is > just default + USE="apache2 ldap mysql snmp truetype xml". Well it shouldn't be like that. And if the default profile is pretty much the same as the server one, then please consider removing the server profile as it makes no sense then > -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpXa9NxXTorT.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On 10/30/2010 08:10 AM, Thomas Sachau wrote: > If i remember it right, the server profile was created for those people, who > only want a minimum > amount of default profile enabled USE flags (so no desktop profile because of > that), but on the > other side dont want to do the additional work/checks/reading for hardened > profiles (which have much > less profile enabled USE flags, but also have the special gcc, glibc and > Kernel), basicly a profile, > which does the same as hardened profile without the specific hardened bits. > > Isn't this essentially what the default profile is? Basically server is just default + USE="apache2 ldap mysql snmp truetype xml". Hmm, which of those flags is not like the others? Maybe it is needed for a use-dependency/etc. It seems like a not-quite-minimal and definitely not all-in-one set of features. I could see if this were some kind of run-your-whole-network appliance that threw in everything from DNS to mail to asterisk, and with a canned set of integrated configuration files for turnkey operation. I could see if we just stuck with the minimal default profile. I just don't get having a LAMP box without the P, but with ldap and snmp - oh, and truetype... Rich
Re: [gentoo-dev] Changes in server profiles
Am 30.10.2010 03:37, schrieb Donnie Berkholz: > On 15:46 Fri 29 Oct , Thomas Sachau wrote: >> Which raises the question, if those people, who want to install a >> minimal server will mostly use apache or something different. And >> especially for minimal setups, i dont think that apache will be the >> first choice, so i agree with the removal of those USE flags from >> default IUSE. The profile is intended to have a minimal set of flags, >> i would call apache an additional optional flag, not a default option >> for minimal server setups. > > I'm not sure when this transition happened, as profile USE flags have > traditionally been a reasonable default set rather than a minimal set. > This gives people who don't have much experience with Gentoo a decent > chance at getting a working system on their first try. For people who > have more experience, it's not exactly difficult to change things. > If i remember it right, the server profile was created for those people, who only want a minimum amount of default profile enabled USE flags (so no desktop profile because of that), but on the other side dont want to do the additional work/checks/reading for hardened profiles (which have much less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile, which does the same as hardened profile without the specific hardened bits. -- Thomas Sachau Gentoo Linux Developer signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Changes in server profiles
On 10/30/2010 05:09 AM, Markos Chandras wrote: > On Sat, Oct 30, 2010 at 10:05:17AM +0400, Peter Volkov wrote: >> В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет: >>> On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras >>> wrote: >>> Can I install a machine with the server profile and USE=-ldap, but >>> still get ldap + pam working? >>> Can I install a machine with the server profile and USE=-apache, but >>> still get apache + php working? apache + rails? >>> How many packages support each USE flag? >>> How many of those packages have IUSE defaults for +ldap or +apache already? >> >> Having lxc/openvz/vserver technologies at hand it's not rare to split >> LAMP server into a number of virtual servers (containers): mysql / >> backend with php / frontend / smtp - everything sits in its own >> container. And USE=apache will be used only in _one_ container. Also not >> all servers are web servers. So IMO server profile should be just >> minimal profile that hints users that this profile will stay minimal and >> usable for all kinds of servers. That said I think server profile is >> useless and for servers I maintain my own profiles. >> >> -- >> Peter. >> >> > Exactly! How about the warning message. Should the statement about > gcc+glibc be removed and keep the one about hardened but make it a bit > different?Like "This profile is making use of a minimal set of use flag. > You may find it useful in a server environment. However, If you are seeking > for extra security, please check the Hardened project > (http://hardened.gentoo.org)." > What exactly is the intended use of the server flag? When I want a minimal image, I usually just use the default profile. That is pretty-much a bare-bones gentoo install. I can see the use of desktop, and I can see the use of hardened. Right now server just looks like default with random stuff for various kinds of servers added. I could see if server had a different set of keywords and QA policy (like debian stable), or if there were a set of use flags that would be universally useful on a server and not on a desktop. Right now it just seems like the server profile exists since lots of other distros have server editions, so we should too. If that is the case, why not just point users to the default profile, or hardened?' I'd be curious what the users of the server profile say. If anything they are the ones we should be listening to since they've found a use for it. Rich
Re: [gentoo-dev] Changes in server profiles
On Sat, Oct 30, 2010 at 10:05:17AM +0400, Peter Volkov wrote: > В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет: > > On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras > > wrote: > > Can I install a machine with the server profile and USE=-ldap, but > > still get ldap + pam working? > > Can I install a machine with the server profile and USE=-apache, but > > still get apache + php working? apache + rails? > > How many packages support each USE flag? > > How many of those packages have IUSE defaults for +ldap or +apache already? > > Having lxc/openvz/vserver technologies at hand it's not rare to split > LAMP server into a number of virtual servers (containers): mysql / > backend with php / frontend / smtp - everything sits in its own > container. And USE=apache will be used only in _one_ container. Also not > all servers are web servers. So IMO server profile should be just > minimal profile that hints users that this profile will stay minimal and > usable for all kinds of servers. That said I think server profile is > useless and for servers I maintain my own profiles. > > -- > Peter. > > Exactly! How about the warning message. Should the statement about gcc+glibc be removed and keep the one about hardened but make it a bit different?Like "This profile is making use of a minimal set of use flag. You may find it useful in a server environment. However, If you are seeking for extra security, please check the Hardened project (http://hardened.gentoo.org)." -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpxhbvu58S4K.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет: > On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras wrote: > Can I install a machine with the server profile and USE=-ldap, but > still get ldap + pam working? > Can I install a machine with the server profile and USE=-apache, but > still get apache + php working? apache + rails? > How many packages support each USE flag? > How many of those packages have IUSE defaults for +ldap or +apache already? Having lxc/openvz/vserver technologies at hand it's not rare to split LAMP server into a number of virtual servers (containers): mysql / backend with php / frontend / smtp - everything sits in its own container. And USE=apache will be used only in _one_ container. Also not all servers are web servers. So IMO server profile should be just minimal profile that hints users that this profile will stay minimal and usable for all kinds of servers. That said I think server profile is useless and for servers I maintain my own profiles. -- Peter.
Re: [gentoo-dev] Changes in server profiles
On 15:46 Fri 29 Oct , Thomas Sachau wrote: > Which raises the question, if those people, who want to install a > minimal server will mostly use apache or something different. And > especially for minimal setups, i dont think that apache will be the > first choice, so i agree with the removal of those USE flags from > default IUSE. The profile is intended to have a minimal set of flags, > i would call apache an additional optional flag, not a default option > for minimal server setups. I'm not sure when this transition happened, as profile USE flags have traditionally been a reasonable default set rather than a minimal set. This gives people who don't have much experience with Gentoo a decent chance at getting a working system on their first try. For people who have more experience, it's not exactly difficult to change things. -- Thanks, Donnie Donnie Berkholz Sr. Developer, Gentoo Linux Blog: http://dberkholz.wordpress.com pgpQAHDuZpo80.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On 10/29/10 6:29 PM, Markos Chandras wrote: > Furthermore the message about glibc-2.4 and gcc-4.1 looks rather obsolete. > At least this part has to be removed/changed Fine for me. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 09:11:33AM -0700, Alec Warner wrote: > 'Anyone wanting to run a secure server profile should use hardened' > tends to imply that the server profile is insecure which is probably > not what you intend to convey to users. Hardened is likely more > secure (which is all we can really say authoritatively...) I don't > think saying that *somewhere* is a bad idea. The profile.bashrc is > likely not the best place however. I understand your concern and why someone might get confused about the server/hardened thingie however I think that polluting this profile in this way is not acceptable. Furthermore the message about glibc-2.4 and gcc-4.1 looks rather obsolete. At least this part has to be removed/changed > > >> If so, I'd leave that warning alone until we get enough people working > >> on the server profiles so we can make any promises about it. > > How many? Work on what actually? It is just a profile with minimal use > > flags. There is nothing to work on :-/ I don't understand that. Tell me > > which areas of server profile need more attention so I can understand > > what are you talking about > > If it is a profile with minimal use flags why not call it minimal? :) Cause 'server' is minimal by default. > > >> > >> If we had the statistics for it, we could check how many people have > >> apache installed with that profile vs not having it. As there's nothing > >> preventing one from having USE="-apache2 -ldap" when required and I > >> don't use the server profiles, I don't really have a strong opinion > >> about this. > > Same for USE="apache2 ldap" on make.conf. That is not a valid argument > > :) > > 1) I don't believe anyone has any clear data on what flags are enabled > or disabled by users. > 2) Each of us users the server profile differently. > 3) Each of us has a different idea of what is involved with running a server. > > It is difficult to take the argument in any strong direction due to > these types of problems (it is an obvious bikeshed..) > > I will instead try a different tact. I think it is advantageous to > reduce the number of default flags. There is a question of what will > break though; so that is the question I pose to you. > > Can I install a machine with the server profile and USE=-ldap, but > still get ldap + pam working? > Can I install a machine with the server profile and USE=-apache, but > still get apache + php working? apache + rails? > How many packages support each USE flag? > How many of those packages have IUSE defaults for +ldap or +apache already? First of all, relying on specific package use flag choices is wrong by default. What if these package change their default use flags some day? Are you sure you want to engineer your profiles' behavior based on specific packages? Using these flags by default you imply that the server profile is optimised for web hosting/active directory usage. So why don't you add ipv6, snmp, vhosts by default too, to include all those firewall/router hosts running Gentoo? The server profile *imho* should have as few as possible USE flags. Users who use this profile should be well educated on how to add more USE flags if needed. -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpFeSJRtjh2I.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras wrote: > On Fri, Oct 29, 2010 at 12:02:20PM +, Jorge Manuel B. S. Vicetto wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Hi. >> >> On 29-10-2010 11:03, Markos Chandras wrote: >> > Hi >> > >> > I don't know how many of you are using these profiles. I would like to >> > propose a couple of changes >> > >> > 1) I want to drop the warning message located on profile.bashrc files >> > e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc >> > It is more than obvious what this profile is for so I don't think this >> > message makes any sense. >> >> I've always taken the message about the server profiles not being >> properly tested as a warning that anyone wanting to run a "secure" >> server profile should use one of the hardened profiles. > But isn't that obvious? How is server profiles related to hardened > anyway? Anyway, this can stay. The rest about GCC and Glibc I think is > useless I think there are two nagging things that this thread raises. Jorge's comment leads me to: 'Anyone wanting to run a secure server profile should use hardened' tends to imply that the server profile is insecure which is probably not what you intend to convey to users. Hardened is likely more secure (which is all we can really say authoritatively...) I don't think saying that *somewhere* is a bad idea. The profile.bashrc is likely not the best place however. >> If so, I'd leave that warning alone until we get enough people working >> on the server profiles so we can make any promises about it. > How many? Work on what actually? It is just a profile with minimal use > flags. There is nothing to work on :-/ I don't understand that. Tell me > which areas of server profile need more attention so I can understand > what are you talking about If it is a profile with minimal use flags why not call it minimal? :) >> >> > 2) Furthermore I would like to drop the following use flags from default >> > IUSE >> > >> > -apache2 >> > -ldap >> > >> > A minimal server installation does requires neither apache2 nor ldap >> >> Although one can install a server without apache or ldap, I'd say the >> server profile seems the natural choice to have them enabled. > So you assume that the most common server configuration is for active > directory or web hosting I think the values are there as a CYA thing to replace auto-use. I think when someone installs LDAP they generally want the ldap use flag (so optionally LDAP support is compiled into apps. The same thing is true of apache. Now sadly I removed support for auto-use around 2006 because it was a giant mess so instead we have default profile use flags. >> If we had the statistics for it, we could check how many people have >> apache installed with that profile vs not having it. As there's nothing >> preventing one from having USE="-apache2 -ldap" when required and I >> don't use the server profiles, I don't really have a strong opinion >> about this. > Same for USE="apache2 ldap" on make.conf. That is not a valid argument > :) 1) I don't believe anyone has any clear data on what flags are enabled or disabled by users. 2) Each of us users the server profile differently. 3) Each of us has a different idea of what is involved with running a server. It is difficult to take the argument in any strong direction due to these types of problems (it is an obvious bikeshed..) I will instead try a different tact. I think it is advantageous to reduce the number of default flags. There is a question of what will break though; so that is the question I pose to you. Can I install a machine with the server profile and USE=-ldap, but still get ldap + pam working? Can I install a machine with the server profile and USE=-apache, but still get apache + php working? apache + rails? How many packages support each USE flag? How many of those packages have IUSE defaults for +ldap or +apache already? -A >> >> - -- >> Regards, >> >> Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org >> Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v2.0.16 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iQIcBAEBAgAGBQJMyrfMAAoJEC8ZTXQF1qEP1AMQANVKK4f1T041WrHMJ7gXM4sI >> hEhoH25GkoxjEEztxdaQ7TI+fxPRqbAHv6AWYNsTd7C6c0RwgTQa8TwNATvmWdCT >> tyTge9SWO1lubiwdNUu5AoamZkzyvWibK5hwP6cd/4OWP02aFZ/BYICeL5G3IQ1I >> YBXwjzf6f6Nyae8/SKCQalU0Zlse1Cx6A58siS2Uqz63DqPglQqhiN10PB4S496y >> fvA84h8B0FUtexFn8Ho0nFVHh5Lea6qo4YZfhDemjMSio9daPMfcAK63za5M/vq+ >> AEjLOmFuj5yg3hppE+5tqc4R+Qt3mDklRHT/p3tdhMTgw0aXHSA/23NSqdKs7NTK >> 4w/HJ+k5S5BXUUrb3VjNByO5vOKm7A4ROLBAuDZFgu/dah3A3OwtoolEEooWMHDG >> Bgo4aRX0cvNGTdVFnUQp7aDO/idi61ONV/G9cqPsl5nmD0K/1JhujLmR9oU26ctk >> sEv/ZxAbUWBYiPx08y6u7lm2g2uUnC0VmJS6rLeHKpp501I8ulTuNRlc1U8EvmPn >> aQHLG+6IvBpifFml3nDIG64LwsXqkEmwc67vcHvYRJqyzcxyHkORl2qTH19zsV1B >> PAa9bN9jRYssdLvDLdsrBc1S3LSGftWihu5ITwkdf3DK6uo7UUViSeesiESsP0sa >> +
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 4:23 PM, Rafael Goncalves Martins wrote: > On Fri, Oct 29, 2010 at 11:46 AM, Thomas Sachau wrote: >> Am 29.10.2010 14:13, schrieb Petteri Räty: >>> On 29.10.2010 15.02, Jorge Manuel B. S. Vicetto wrote: >>> > 2) Furthermore I would like to drop the following use flags from default > IUSE > -apache2 > -ldap > A minimal server installation does requires neither apache2 nor ldap Although one can install a server without apache or ldap, I'd say the server profile seems the natural choice to have them enabled. If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE="-apache2 -ldap" when required and I don't use the server profiles, I don't really have a strong opinion about this. >>> >>> And enabling a use flag should be question of is it wanted when a >>> package actually support those flags. On a server when you are >>> installing a package with a apache use flag it's certainly possible to >>> you would like to have it enabled more often than not. >>> >>> Regards, >>> Petteri >>> >>> >> >> Which raises the question, if those people, who want to install a minimal >> server will mostly use >> apache or something different. And especially for minimal setups, i dont >> think that apache will be >> the first choice, so i agree with the removal of those USE flags from >> default IUSE. >> The profile is intended to have a minimal set of flags, i would call apache >> an additional optional >> flag, not a default option for minimal server setups. >> > > Totally agreed! > > Best regards. > > -- > Rafael Goncalves Martins > Gentoo Linux developer > http://rafaelmartins.eng.br/ > > I use the server profile and I would also like a minimal set of use flags. I don't think you need to force sysadmins, that know what they want, to have those flags. Regards, Kfir
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 11:46 AM, Thomas Sachau wrote: > Am 29.10.2010 14:13, schrieb Petteri Räty: >> On 29.10.2010 15.02, Jorge Manuel B. S. Vicetto wrote: >> >>> 2) Furthermore I would like to drop the following use flags from default IUSE >>> -apache2 -ldap >>> A minimal server installation does requires neither apache2 nor ldap >>> >>> Although one can install a server without apache or ldap, I'd say the >>> server profile seems the natural choice to have them enabled. >>> If we had the statistics for it, we could check how many people have >>> apache installed with that profile vs not having it. As there's nothing >>> preventing one from having USE="-apache2 -ldap" when required and I >>> don't use the server profiles, I don't really have a strong opinion >>> about this. >>> >> >> And enabling a use flag should be question of is it wanted when a >> package actually support those flags. On a server when you are >> installing a package with a apache use flag it's certainly possible to >> you would like to have it enabled more often than not. >> >> Regards, >> Petteri >> >> > > Which raises the question, if those people, who want to install a minimal > server will mostly use > apache or something different. And especially for minimal setups, i dont > think that apache will be > the first choice, so i agree with the removal of those USE flags from default > IUSE. > The profile is intended to have a minimal set of flags, i would call apache > an additional optional > flag, not a default option for minimal server setups. > Totally agreed! Best regards. -- Rafael Goncalves Martins Gentoo Linux developer http://rafaelmartins.eng.br/
Re: [gentoo-dev] Changes in server profiles
Am 29.10.2010 14:13, schrieb Petteri Räty: > On 29.10.2010 15.02, Jorge Manuel B. S. Vicetto wrote: > >> >>> 2) Furthermore I would like to drop the following use flags from default >>> IUSE >> >>> -apache2 >>> -ldap >> >>> A minimal server installation does requires neither apache2 nor ldap >> >> Although one can install a server without apache or ldap, I'd say the >> server profile seems the natural choice to have them enabled. >> If we had the statistics for it, we could check how many people have >> apache installed with that profile vs not having it. As there's nothing >> preventing one from having USE="-apache2 -ldap" when required and I >> don't use the server profiles, I don't really have a strong opinion >> about this. >> > > And enabling a use flag should be question of is it wanted when a > package actually support those flags. On a server when you are > installing a package with a apache use flag it's certainly possible to > you would like to have it enabled more often than not. > > Regards, > Petteri > > Which raises the question, if those people, who want to install a minimal server will mostly use apache or something different. And especially for minimal setups, i dont think that apache will be the first choice, so i agree with the removal of those USE flags from default IUSE. The profile is intended to have a minimal set of flags, i would call apache an additional optional flag, not a default option for minimal server setups. -- Thomas Sachau Gentoo Linux Developer signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 12:02:20PM +, Jorge Manuel B. S. Vicetto wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi. > > On 29-10-2010 11:03, Markos Chandras wrote: > > Hi > > > > I don't know how many of you are using these profiles. I would like to > > propose a couple of changes > > > > 1) I want to drop the warning message located on profile.bashrc files > > e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc > > It is more than obvious what this profile is for so I don't think this > > message makes any sense. > > I've always taken the message about the server profiles not being > properly tested as a warning that anyone wanting to run a "secure" > server profile should use one of the hardened profiles. But isn't that obvious? How is server profiles related to hardened anyway? Anyway, this can stay. The rest about GCC and Glibc I think is useless > If so, I'd leave that warning alone until we get enough people working > on the server profiles so we can make any promises about it. How many? Work on what actually? It is just a profile with minimal use flags. There is nothing to work on :-/ I don't understand that. Tell me which areas of server profile need more attention so I can understand what are you talking about > > > 2) Furthermore I would like to drop the following use flags from default > > IUSE > > > > -apache2 > > -ldap > > > > A minimal server installation does requires neither apache2 nor ldap > > Although one can install a server without apache or ldap, I'd say the > server profile seems the natural choice to have them enabled. So you assume that the most common server configuration is for active directory or web hosting > If we had the statistics for it, we could check how many people have > apache installed with that profile vs not having it. As there's nothing > preventing one from having USE="-apache2 -ldap" when required and I > don't use the server profiles, I don't really have a strong opinion > about this. Same for USE="apache2 ldap" on make.conf. That is not a valid argument :) > > - -- > Regards, > > Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org > Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJMyrfMAAoJEC8ZTXQF1qEP1AMQANVKK4f1T041WrHMJ7gXM4sI > hEhoH25GkoxjEEztxdaQ7TI+fxPRqbAHv6AWYNsTd7C6c0RwgTQa8TwNATvmWdCT > tyTge9SWO1lubiwdNUu5AoamZkzyvWibK5hwP6cd/4OWP02aFZ/BYICeL5G3IQ1I > YBXwjzf6f6Nyae8/SKCQalU0Zlse1Cx6A58siS2Uqz63DqPglQqhiN10PB4S496y > fvA84h8B0FUtexFn8Ho0nFVHh5Lea6qo4YZfhDemjMSio9daPMfcAK63za5M/vq+ > AEjLOmFuj5yg3hppE+5tqc4R+Qt3mDklRHT/p3tdhMTgw0aXHSA/23NSqdKs7NTK > 4w/HJ+k5S5BXUUrb3VjNByO5vOKm7A4ROLBAuDZFgu/dah3A3OwtoolEEooWMHDG > Bgo4aRX0cvNGTdVFnUQp7aDO/idi61ONV/G9cqPsl5nmD0K/1JhujLmR9oU26ctk > sEv/ZxAbUWBYiPx08y6u7lm2g2uUnC0VmJS6rLeHKpp501I8ulTuNRlc1U8EvmPn > aQHLG+6IvBpifFml3nDIG64LwsXqkEmwc67vcHvYRJqyzcxyHkORl2qTH19zsV1B > PAa9bN9jRYssdLvDLdsrBc1S3LSGftWihu5ITwkdf3DK6uo7UUViSeesiESsP0sa > +maI98w1ehWNX2I8RZ7l > =fHNt > -END PGP SIGNATURE- > -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgp1ka2LRRcJo.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On 29.10.2010 15.02, Jorge Manuel B. S. Vicetto wrote: > >> 2) Furthermore I would like to drop the following use flags from default >> IUSE > >> -apache2 >> -ldap > >> A minimal server installation does requires neither apache2 nor ldap > > Although one can install a server without apache or ldap, I'd say the > server profile seems the natural choice to have them enabled. > If we had the statistics for it, we could check how many people have > apache installed with that profile vs not having it. As there's nothing > preventing one from having USE="-apache2 -ldap" when required and I > don't use the server profiles, I don't really have a strong opinion > about this. > And enabling a use flag should be question of is it wanted when a package actually support those flags. On a server when you are installing a package with a apache use flag it's certainly possible to you would like to have it enabled more often than not. Regards, Petteri
Re: [gentoo-dev] Changes in server profiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi. On 29-10-2010 11:03, Markos Chandras wrote: > Hi > > I don't know how many of you are using these profiles. I would like to > propose a couple of changes > > 1) I want to drop the warning message located on profile.bashrc files > e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc > It is more than obvious what this profile is for so I don't think this > message makes any sense. I've always taken the message about the server profiles not being properly tested as a warning that anyone wanting to run a "secure" server profile should use one of the hardened profiles. If so, I'd leave that warning alone until we get enough people working on the server profiles so we can make any promises about it. > 2) Furthermore I would like to drop the following use flags from default > IUSE > > -apache2 > -ldap > > A minimal server installation does requires neither apache2 nor ldap Although one can install a server without apache or ldap, I'd say the server profile seems the natural choice to have them enabled. If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE="-apache2 -ldap" when required and I don't use the server profiles, I don't really have a strong opinion about this. - -- Regards, Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMyrfMAAoJEC8ZTXQF1qEP1AMQANVKK4f1T041WrHMJ7gXM4sI hEhoH25GkoxjEEztxdaQ7TI+fxPRqbAHv6AWYNsTd7C6c0RwgTQa8TwNATvmWdCT tyTge9SWO1lubiwdNUu5AoamZkzyvWibK5hwP6cd/4OWP02aFZ/BYICeL5G3IQ1I YBXwjzf6f6Nyae8/SKCQalU0Zlse1Cx6A58siS2Uqz63DqPglQqhiN10PB4S496y fvA84h8B0FUtexFn8Ho0nFVHh5Lea6qo4YZfhDemjMSio9daPMfcAK63za5M/vq+ AEjLOmFuj5yg3hppE+5tqc4R+Qt3mDklRHT/p3tdhMTgw0aXHSA/23NSqdKs7NTK 4w/HJ+k5S5BXUUrb3VjNByO5vOKm7A4ROLBAuDZFgu/dah3A3OwtoolEEooWMHDG Bgo4aRX0cvNGTdVFnUQp7aDO/idi61ONV/G9cqPsl5nmD0K/1JhujLmR9oU26ctk sEv/ZxAbUWBYiPx08y6u7lm2g2uUnC0VmJS6rLeHKpp501I8ulTuNRlc1U8EvmPn aQHLG+6IvBpifFml3nDIG64LwsXqkEmwc67vcHvYRJqyzcxyHkORl2qTH19zsV1B PAa9bN9jRYssdLvDLdsrBc1S3LSGftWihu5ITwkdf3DK6uo7UUViSeesiESsP0sa +maI98w1ehWNX2I8RZ7l =fHNt -END PGP SIGNATURE-
Re: [gentoo-dev] Changes in server profiles
On 10/29/10 1:24 PM, Markos Chandras wrote: > On Fri, Oct 29, 2010 at 01:18:14PM +0200, "Paweł Hajdan, Jr." wrote: >>> ewarn "This profile has not been tested thoroughly and is not considered to >>> be" >>> ewarn "a supported server profile at this time. For a supported server" If the above is no longer true you can safely ignore my earlier comments. :-D Actually, removing the no-longer-true message sounds good. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 01:18:14PM +0200, "Paweł Hajdan, Jr." wrote: > On 10/29/10 1:03 PM, Markos Chandras wrote: > > 1) I want to drop the warning message located on profile.bashrc files > > e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc > > It is more than obvious what this profile is for so I don't think this > > message makes any sense. > > > ewarn "This profile has not been tested thoroughly and is not considered to > > be" > > ewarn "a supported server profile at this time. For a supported server" > > The above is definitely not obvious. Is this documented in any other place? This is there for years. You think that anyone is working on that in order to verify whether it is a *stable* server profile or not? I use it since the very beginning on my servers and I say that it works! > > > ewarn "the software being used on the server. This profile should also be > > used" > > ewarn "if you require GCC 4.1 or Glibc 2.4 support. If you don't know if > > this" > > That too. > I use the latest stable for GCC+Glibc and never had an issue. Maybe some people are confusing the server profiles with the hardened one? > By the way, I think there was some way to mark a profile as > "development", "unsupported", or something like that. It's been in this state for years so I do not expect someone to actually working on that > > > 2) Furthermore I would like to drop the following use flags from default > > IUSE > > > > -apache2 > > -ldap > > > > A minimal server installation does requires neither apache2 nor ldap > > Sounds good (I'm not using a server profile though). > -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpNu2r4IIumC.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On 10/29/10 1:03 PM, Markos Chandras wrote: > 1) I want to drop the warning message located on profile.bashrc files > e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc > It is more than obvious what this profile is for so I don't think this > message makes any sense. > ewarn "This profile has not been tested thoroughly and is not considered to > be" > ewarn "a supported server profile at this time. For a supported server" The above is definitely not obvious. Is this documented in any other place? > ewarn "the software being used on the server. This profile should also be > used" > ewarn "if you require GCC 4.1 or Glibc 2.4 support. If you don't know if this" That too. By the way, I think there was some way to mark a profile as "development", "unsupported", or something like that. > 2) Furthermore I would like to drop the following use flags from default > IUSE > > -apache2 > -ldap > > A minimal server installation does requires neither apache2 nor ldap Sounds good (I'm not using a server profile though). signature.asc Description: OpenPGP digital signature
[gentoo-dev] Changes in server profiles
Hi I don't know how many of you are using these profiles. I would like to propose a couple of changes 1) I want to drop the warning message located on profile.bashrc files e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc It is more than obvious what this profile is for so I don't think this message makes any sense. 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgplmiQx2kLCa.pgp Description: PGP signature