Re: [gentoo-dev] Changes in server profiles
On Tue, Nov 02, 2010 at 10:23:36PM -0100, Jorge Manuel B. S. Vicetto wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02-11-2010 19:30, Markos Chandras wrote: - - ewarn This profile has not been tested thoroughly and is not considered to be - - ewarn a supported server profile at this time. For a supported server - - ewarn profile, please check the Hardened project (http://hardened.gentoo.org). As was stated a few times in this thread, simply dropping this ewarn without adding a warning somewhere that anyone looking for a production server profile should be looking at hardened, doesn't seem prudent to me. - -- Regards, Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJM0J13AAoJEC8ZTXQF1qEPrEAP/3GNLyH67SLszchOL1wjvctE xEZ+yCDrTexXmc1A4YzqYKjVicTXgDdmIPThwD274YTGCfOqCzgOalcTqfHEu6X3 W3044m/YOHi1BeNpNXnLqdyleVFKtDs8YvsZkawUFIgyjMOQ0sKzetyORkk4QE4N 5kr6c4eGN36uIpe2P7viufgvgxAaJwP4k2xsVmVKOpMzGkGLmq8WNeeGTZZ4Jw9O LPD70gI+QBtgYYzqFMB5XMxA2ia4kYJibCrrzC9sqnRpfEStXXXSAWcjUn8aslOw +h4ITENwAqY/exRDLpTHXWpU5SzLz+UU9Y1BG8hKUtKEl++iVjFMn6GePRWjJHA8 mCmkRJ0ku4RscI73qhKjQQdxPEttfvvyfnaS5JdznJMJ/0MyvWV1MMV+j9eKprQq rAnRAZPbe1slh8Egnj2Cd4lik2L9ek3hAyLu0LEvW47IEJyi8LF5Z7ar9hN+ZJw5 IwV22/PYc5g/2Ukl+InHWXjtGrNWx7k3KD5D1O7pwkVnGo5ZRvj0AIgM3u7LWLBb llIFzf1boE6gFen2WgW+GvKngFtX4c8TqBvMLEBs17S3kESSEIzeqCBCuYqAVMEX vXO/En3NwlyiZ4bhfOOSgo3eQvclJKM6yCK6gDb8rfZFUptyIicQF1AkyFQw7mjN Y0UY+STLK4I0oW7bK3Sq =a9yz -END PGP SIGNATURE- I plan to commit my latest patch on Sunday night. Thanks -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpq2uteppZyT.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Mon, Nov 01, 2010 at 08:41:34PM +0300, Peter Volkov wrote:
В Вск, 31/10/2010 в 16:38 +0200, Alex Alexander пишет:
On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote:
On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote:
Isn't this essentially what the default profile is? Basically server is
just default + USE=apache2 ldap mysql snmp truetype xml.
Well it shouldn't be like that. And if the default profile is pretty
much the same as the server one, then please consider removing the
server profile as it makes no sense then
Please don't. The fact that there are only a few changes doesn't make it
useless. Also, you'd be forcing all users currently using the profile to
migrate without any real reason.
But what is the target group of this profile? It sets only 6 USE flags
that are really useless on half of servers (e.g. VPN/mail server). I'd
better set only -perl -python there to make servers less dependent on
python/perl updaters and decrease rebuilds for servers. Also it's good
idea to make them hardened only as hardened works very well for
servers.
--
Peter.
Attached you may find my final proposal for server profiles.
--
Markos Chandras (hwoarang)
Gentoo Linux Developer
Web: http://hwoarang.silverarrow.org
Key ID: 441AC410
Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410
Index: default/linux/amd64/10.0/server/profile.bashrc
===
RCS file:
/var/cvsroot/gentoo-x86/profiles/default/linux/amd64/10.0/server/profile.bashrc,v
retrieving revision 1.1
diff -u -b -B -u -r1.1 profile.bashrc
--- default/linux/amd64/10.0/server/profile.bashrc 6 Aug 2009 06:33:39
- 1.1
+++ default/linux/amd64/10.0/server/profile.bashrc 2 Nov 2010 20:28:19
-
@@ -6,16 +6,10 @@
then
if [[ ! ${I_KNOW_WHAT_I_AM_DOING} == yes ]]
then
- ewarn This profile has not been tested thoroughly and is not
considered to be
- ewarn a supported server profile at this time. For a
supported server
- ewarn profile, please check the Hardened project
(http://hardened.gentoo.org).
echo
ewarn This profile is merely a convenience for people who
require a more
ewarn minimal profile, yet are unable to use hardened due to
restrictions in
- ewarn the software being used on the server. This profile
should also be used
- ewarn if you require GCC 4.1 or Glibc 2.4 support. If you
don't know if this
- ewarn applies to you, then it doesn't and you should probably
be using
- ewarn Hardened, instead.
+ ewarn the software being used on the server.
echo
fi
fi
Index: targets/server/make.defaults
===
RCS file: /var/cvsroot/gentoo-x86/profiles/targets/server/make.defaults,v
retrieving revision 1.2
diff -u -b -B -u -r1.2 make.defaults
--- targets/server/make.defaults17 Aug 2009 18:32:10 - 1.2
+++ targets/server/make.defaults2 Nov 2010 20:28:20 -
@@ -2,4 +2,4 @@
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/profiles/targets/server/make.defaults,v 1.2
2009/08/17 18:32:10 ssuominen Exp $
-USE=apache2 ldap mysql snmp truetype xml
+USE=-perl -python snmp truetype xml
pgpMEDQEFGMJx.pgp
Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02-11-2010 19:30, Markos Chandras wrote: - - ewarn This profile has not been tested thoroughly and is not considered to be - - ewarn a supported server profile at this time. For a supported server - - ewarn profile, please check the Hardened project (http://hardened.gentoo.org). As was stated a few times in this thread, simply dropping this ewarn without adding a warning somewhere that anyone looking for a production server profile should be looking at hardened, doesn't seem prudent to me. - -- Regards, Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJM0J13AAoJEC8ZTXQF1qEPrEAP/3GNLyH67SLszchOL1wjvctE xEZ+yCDrTexXmc1A4YzqYKjVicTXgDdmIPThwD274YTGCfOqCzgOalcTqfHEu6X3 W3044m/YOHi1BeNpNXnLqdyleVFKtDs8YvsZkawUFIgyjMOQ0sKzetyORkk4QE4N 5kr6c4eGN36uIpe2P7viufgvgxAaJwP4k2xsVmVKOpMzGkGLmq8WNeeGTZZ4Jw9O LPD70gI+QBtgYYzqFMB5XMxA2ia4kYJibCrrzC9sqnRpfEStXXXSAWcjUn8aslOw +h4ITENwAqY/exRDLpTHXWpU5SzLz+UU9Y1BG8hKUtKEl++iVjFMn6GePRWjJHA8 mCmkRJ0ku4RscI73qhKjQQdxPEttfvvyfnaS5JdznJMJ/0MyvWV1MMV+j9eKprQq rAnRAZPbe1slh8Egnj2Cd4lik2L9ek3hAyLu0LEvW47IEJyi8LF5Z7ar9hN+ZJw5 IwV22/PYc5g/2Ukl+InHWXjtGrNWx7k3KD5D1O7pwkVnGo5ZRvj0AIgM3u7LWLBb llIFzf1boE6gFen2WgW+GvKngFtX4c8TqBvMLEBs17S3kESSEIzeqCBCuYqAVMEX vXO/En3NwlyiZ4bhfOOSgo3eQvclJKM6yCK6gDb8rfZFUptyIicQF1AkyFQw7mjN Y0UY+STLK4I0oW7bK3Sq =a9yz -END PGP SIGNATURE-
Re: [gentoo-dev] Changes in server profiles
On Tue, Nov 02, 2010 at 10:23:36PM -0100, Jorge Manuel B. S. Vicetto wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02-11-2010 19:30, Markos Chandras wrote:
- - ewarn This profile has not been tested thoroughly and is not
considered to be
- - ewarn a supported server profile at this time. For a supported
server
- - ewarn profile, please check the Hardened project
(http://hardened.gentoo.org).
As was stated a few times in this thread, simply dropping this ewarn
without adding a warning somewhere that anyone looking for a production
server profile should be looking at hardened, doesn't seem prudent to me.
Hmm ok. Updated now
- --
Regards,
Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org
Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJM0J13AAoJEC8ZTXQF1qEPrEAP/3GNLyH67SLszchOL1wjvctE
xEZ+yCDrTexXmc1A4YzqYKjVicTXgDdmIPThwD274YTGCfOqCzgOalcTqfHEu6X3
W3044m/YOHi1BeNpNXnLqdyleVFKtDs8YvsZkawUFIgyjMOQ0sKzetyORkk4QE4N
5kr6c4eGN36uIpe2P7viufgvgxAaJwP4k2xsVmVKOpMzGkGLmq8WNeeGTZZ4Jw9O
LPD70gI+QBtgYYzqFMB5XMxA2ia4kYJibCrrzC9sqnRpfEStXXXSAWcjUn8aslOw
+h4ITENwAqY/exRDLpTHXWpU5SzLz+UU9Y1BG8hKUtKEl++iVjFMn6GePRWjJHA8
mCmkRJ0ku4RscI73qhKjQQdxPEttfvvyfnaS5JdznJMJ/0MyvWV1MMV+j9eKprQq
rAnRAZPbe1slh8Egnj2Cd4lik2L9ek3hAyLu0LEvW47IEJyi8LF5Z7ar9hN+ZJw5
IwV22/PYc5g/2Ukl+InHWXjtGrNWx7k3KD5D1O7pwkVnGo5ZRvj0AIgM3u7LWLBb
llIFzf1boE6gFen2WgW+GvKngFtX4c8TqBvMLEBs17S3kESSEIzeqCBCuYqAVMEX
vXO/En3NwlyiZ4bhfOOSgo3eQvclJKM6yCK6gDb8rfZFUptyIicQF1AkyFQw7mjN
Y0UY+STLK4I0oW7bK3Sq
=a9yz
-END PGP SIGNATURE-
--
Markos Chandras (hwoarang)
Gentoo Linux Developer
Web: http://hwoarang.silverarrow.org
Key ID: 441AC410
Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410
Index: default/linux/amd64/10.0/server/profile.bashrc
===
RCS file:
/var/cvsroot/gentoo-x86/profiles/default/linux/amd64/10.0/server/profile.bashrc,v
retrieving revision 1.1
diff -u -b -B -u -r1.1 profile.bashrc
--- default/linux/amd64/10.0/server/profile.bashrc 6 Aug 2009 06:33:39
- 1.1
+++ default/linux/amd64/10.0/server/profile.bashrc 2 Nov 2010 23:34:02
-
@@ -6,16 +6,12 @@
then
if [[ ! ${I_KNOW_WHAT_I_AM_DOING} == yes ]]
then
- ewarn This profile has not been tested thoroughly and is not
considered to be
- ewarn a supported server profile at this time. For a
supported server
- ewarn profile, please check the Hardened project
(http://hardened.gentoo.org).
echo
ewarn This profile is merely a convenience for people who
require a more
ewarn minimal profile, yet are unable to use hardened due to
restrictions in
- ewarn the software being used on the server. This profile
should also be used
- ewarn if you require GCC 4.1 or Glibc 2.4 support. If you
don't know if this
- ewarn applies to you, then it doesn't and you should probably
be using
- ewarn Hardened, instead.
+ ewarn the software being used on the server. If you seek for a
secure
+ ewarn production server profile, please check the Hardened
project
+ ewarn (http://hardened.gentoo.org)
echo
fi
fi
Index: targets/server/make.defaults
===
RCS file: /var/cvsroot/gentoo-x86/profiles/targets/server/make.defaults,v
retrieving revision 1.2
diff -u -b -B -u -r1.2 make.defaults
--- targets/server/make.defaults17 Aug 2009 18:32:10 - 1.2
+++ targets/server/make.defaults2 Nov 2010 23:34:03 -
@@ -2,4 +2,4 @@
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/profiles/targets/server/make.defaults,v 1.2
2009/08/17 18:32:10 ssuominen Exp $
-USE=apache2 ldap mysql snmp truetype xml
+USE=-perl -python snmp truetype xml
pgp3cJ4oG4Xgo.pgp
Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
В Вск, 31/10/2010 в 16:38 +0200, Alex Alexander пишет: On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: Isn't this essentially what the default profile is? Basically server is just default + USE=apache2 ldap mysql snmp truetype xml. Well it shouldn't be like that. And if the default profile is pretty much the same as the server one, then please consider removing the server profile as it makes no sense then Please don't. The fact that there are only a few changes doesn't make it useless. Also, you'd be forcing all users currently using the profile to migrate without any real reason. But what is the target group of this profile? It sets only 6 USE flags that are really useless on half of servers (e.g. VPN/mail server). I'd better set only -perl -python there to make servers less dependent on python/perl updaters and decrease rebuilds for servers. Also it's good idea to make them hardened only as hardened works very well for servers. -- Peter.
Re: [gentoo-dev] Changes in server profiles
On Mon, Nov 01, 2010 at 08:41:34PM +0300, Peter Volkov wrote: В Вск, 31/10/2010 в 16:38 +0200, Alex Alexander пишет: On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: Isn't this essentially what the default profile is? Basically server is just default + USE=apache2 ldap mysql snmp truetype xml. Well it shouldn't be like that. And if the default profile is pretty much the same as the server one, then please consider removing the server profile as it makes no sense then Please don't. The fact that there are only a few changes doesn't make it useless. Also, you'd be forcing all users currently using the profile to migrate without any real reason. But what is the target group of this profile? It sets only 6 USE flags that are really useless on half of servers (e.g. VPN/mail server). I'd better set only -perl -python there to make servers less dependent on python/perl updaters and decrease rebuilds for servers. Also it's good idea to make them hardened only as hardened works very well for servers. -- Peter. Errr no. There are also home based fileservers, media servers, routers, radio servers blah blah blah. Not everyone needs the hardened toolchain/kernel/security/etc. The target group are lightweight servers for home or SOHO usage, file sharing, nfs, etc. I maintain such a server group so I am talking based on personal experience. As I said before server usage is not always security oriented. Yes, perhaps using -python/-perl might be good. -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpAVjdhSzEuz.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: On 10/30/2010 08:10 AM, Thomas Sachau wrote: If i remember it right, the server profile was created for those people, who only want a minimum amount of default profile enabled USE flags (so no desktop profile because of that), but on the other side dont want to do the additional work/checks/reading for hardened profiles (which have much less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile, which does the same as hardened profile without the specific hardened bits. Isn't this essentially what the default profile is? Basically server is just default + USE=apache2 ldap mysql snmp truetype xml. Well it shouldn't be like that. And if the default profile is pretty much the same as the server one, then please consider removing the server profile as it makes no sense then -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpXa9NxXTorT.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: On 10/30/2010 08:10 AM, Thomas Sachau wrote: If i remember it right, the server profile was created for those people, who only want a minimum amount of default profile enabled USE flags (so no desktop profile because of that), but on the other side dont want to do the additional work/checks/reading for hardened profiles (which have much less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile, which does the same as hardened profile without the specific hardened bits. Isn't this essentially what the default profile is? Basically server is just default + USE=apache2 ldap mysql snmp truetype xml. Well it shouldn't be like that. And if the default profile is pretty much the same as the server one, then please consider removing the server profile as it makes no sense then Please don't. The fact that there are only a few changes doesn't make it useless. Also, you'd be forcing all users currently using the profile to migrate without any real reason. -- Alex Alexander | wired Gentoo Linux Developer | Council / Qt / Chromium / more www.linuxized.com pgp22L3Od8mYh.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Sun, Oct 31, 2010 at 04:38:09PM +0200, Alex Alexander wrote: On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: On 10/30/2010 08:10 AM, Thomas Sachau wrote: If i remember it right, the server profile was created for those people, who only want a minimum amount of default profile enabled USE flags (so no desktop profile because of that), but on the other side dont want to do the additional work/checks/reading for hardened profiles (which have much less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile, which does the same as hardened profile without the specific hardened bits. Isn't this essentially what the default profile is? Basically server is just default + USE=apache2 ldap mysql snmp truetype xml. Well it shouldn't be like that. And if the default profile is pretty much the same as the server one, then please consider removing the server profile as it makes no sense then Please don't. The fact that there are only a few changes doesn't make it useless. Also, you'd be forcing all users currently using the profile to migrate without any real reason. -- Alex Alexander | wired Gentoo Linux Developer | Council / Qt / Chromium / more www.linuxized.com You are missing the point here. My intention is to make server profiles more generic for server usage and not optimised for ldap/web hosting services -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpg7iqQO6kPd.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On Sun, Oct 31, 2010 at 7:38 AM, Alex Alexander wi...@gentoo.org wrote: On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: On 10/30/2010 08:10 AM, Thomas Sachau wrote: If i remember it right, the server profile was created for those people, who only want a minimum amount of default profile enabled USE flags (so no desktop profile because of that), but on the other side dont want to do the additional work/checks/reading for hardened profiles (which have much less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile, which does the same as hardened profile without the specific hardened bits. Isn't this essentially what the default profile is? Basically server is just default + USE=apache2 ldap mysql snmp truetype xml. Well it shouldn't be like that. And if the default profile is pretty much the same as the server one, then please consider removing the server profile as it makes no sense then Please don't. The fact that there are only a few changes doesn't make it useless. Also, you'd be forcing all users currently using the profile to migrate without any real reason. We don't really delete profiles (maybe once every few years...) We could opt to mark the server target deprecated and not update it anymore. -A -- Alex Alexander | wired Gentoo Linux Developer | Council / Qt / Chromium / more www.linuxized.com
Re: [gentoo-dev] Changes in server profiles
On Sun, Oct 31, 2010 at 12:47:32PM -0700, Alec Warner wrote: On Sun, Oct 31, 2010 at 7:38 AM, Alex Alexander wi...@gentoo.org wrote: On Sun, Oct 31, 2010 at 11:50:02AM +, Markos Chandras wrote: On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote: On 10/30/2010 08:10 AM, Thomas Sachau wrote: If i remember it right, the server profile was created for those people, who only want a minimum amount of default profile enabled USE flags (so no desktop profile because of that), but on the other side dont want to do the additional work/checks/reading for hardened profiles (which have much less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile, which does the same as hardened profile without the specific hardened bits. Isn't this essentially what the default profile is? Basically server is just default + USE=apache2 ldap mysql snmp truetype xml. Well it shouldn't be like that. And if the default profile is pretty much the same as the server one, then please consider removing the server profile as it makes no sense then Please don't. The fact that there are only a few changes doesn't make it useless. Also, you'd be forcing all users currently using the profile to migrate without any real reason. We don't really delete profiles (maybe once every few years...) We could opt to mark the server target deprecated and not update it anymore. -A -- Alex Alexander | wired Gentoo Linux Developer | Council / Qt / Chromium / more www.linuxized.com I did not literally mean what I said. My intention is to make server profiles useful. They are not equivalent to default profile ( at least they shouldn't). I see that this discussion is moving to dead-end so I will to what I suggested at least at the amd64 profile 1) drop apache2, ldap use flags 2) Adjust warning message to reflect reallity in 72 hours --- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgprKQlvC9w8x.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет: On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras hwoar...@gentoo.org wrote: Can I install a machine with the server profile and USE=-ldap, but still get ldap + pam working? Can I install a machine with the server profile and USE=-apache, but still get apache + php working? apache + rails? How many packages support each USE flag? How many of those packages have IUSE defaults for +ldap or +apache already? Having lxc/openvz/vserver technologies at hand it's not rare to split LAMP server into a number of virtual servers (containers): mysql / backend with php / frontend / smtp - everything sits in its own container. And USE=apache will be used only in _one_ container. Also not all servers are web servers. So IMO server profile should be just minimal profile that hints users that this profile will stay minimal and usable for all kinds of servers. That said I think server profile is useless and for servers I maintain my own profiles. -- Peter.
Re: [gentoo-dev] Changes in server profiles
On Sat, Oct 30, 2010 at 10:05:17AM +0400, Peter Volkov wrote: В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет: On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras hwoar...@gentoo.org wrote: Can I install a machine with the server profile and USE=-ldap, but still get ldap + pam working? Can I install a machine with the server profile and USE=-apache, but still get apache + php working? apache + rails? How many packages support each USE flag? How many of those packages have IUSE defaults for +ldap or +apache already? Having lxc/openvz/vserver technologies at hand it's not rare to split LAMP server into a number of virtual servers (containers): mysql / backend with php / frontend / smtp - everything sits in its own container. And USE=apache will be used only in _one_ container. Also not all servers are web servers. So IMO server profile should be just minimal profile that hints users that this profile will stay minimal and usable for all kinds of servers. That said I think server profile is useless and for servers I maintain my own profiles. -- Peter. Exactly! How about the warning message. Should the statement about gcc+glibc be removed and keep the one about hardened but make it a bit different?Like This profile is making use of a minimal set of use flag. You may find it useful in a server environment. However, If you are seeking for extra security, please check the Hardened project (http://hardened.gentoo.org). -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpxhbvu58S4K.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On 10/30/2010 05:09 AM, Markos Chandras wrote: On Sat, Oct 30, 2010 at 10:05:17AM +0400, Peter Volkov wrote: В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет: On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras hwoar...@gentoo.org wrote: Can I install a machine with the server profile and USE=-ldap, but still get ldap + pam working? Can I install a machine with the server profile and USE=-apache, but still get apache + php working? apache + rails? How many packages support each USE flag? How many of those packages have IUSE defaults for +ldap or +apache already? Having lxc/openvz/vserver technologies at hand it's not rare to split LAMP server into a number of virtual servers (containers): mysql / backend with php / frontend / smtp - everything sits in its own container. And USE=apache will be used only in _one_ container. Also not all servers are web servers. So IMO server profile should be just minimal profile that hints users that this profile will stay minimal and usable for all kinds of servers. That said I think server profile is useless and for servers I maintain my own profiles. -- Peter. Exactly! How about the warning message. Should the statement about gcc+glibc be removed and keep the one about hardened but make it a bit different?Like This profile is making use of a minimal set of use flag. You may find it useful in a server environment. However, If you are seeking for extra security, please check the Hardened project (http://hardened.gentoo.org). What exactly is the intended use of the server flag? When I want a minimal image, I usually just use the default profile. That is pretty-much a bare-bones gentoo install. I can see the use of desktop, and I can see the use of hardened. Right now server just looks like default with random stuff for various kinds of servers added. I could see if server had a different set of keywords and QA policy (like debian stable), or if there were a set of use flags that would be universally useful on a server and not on a desktop. Right now it just seems like the server profile exists since lots of other distros have server editions, so we should too. If that is the case, why not just point users to the default profile, or hardened?' I'd be curious what the users of the server profile say. If anything they are the ones we should be listening to since they've found a use for it. Rich
Re: [gentoo-dev] Changes in server profiles
Am 30.10.2010 03:37, schrieb Donnie Berkholz: On 15:46 Fri 29 Oct , Thomas Sachau wrote: Which raises the question, if those people, who want to install a minimal server will mostly use apache or something different. And especially for minimal setups, i dont think that apache will be the first choice, so i agree with the removal of those USE flags from default IUSE. The profile is intended to have a minimal set of flags, i would call apache an additional optional flag, not a default option for minimal server setups. I'm not sure when this transition happened, as profile USE flags have traditionally been a reasonable default set rather than a minimal set. This gives people who don't have much experience with Gentoo a decent chance at getting a working system on their first try. For people who have more experience, it's not exactly difficult to change things. If i remember it right, the server profile was created for those people, who only want a minimum amount of default profile enabled USE flags (so no desktop profile because of that), but on the other side dont want to do the additional work/checks/reading for hardened profiles (which have much less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile, which does the same as hardened profile without the specific hardened bits. -- Thomas Sachau Gentoo Linux Developer signature.asc Description: OpenPGP digital signature
[gentoo-dev] Changes in server profiles
Hi I don't know how many of you are using these profiles. I would like to propose a couple of changes 1) I want to drop the warning message located on profile.bashrc files e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc It is more than obvious what this profile is for so I don't think this message makes any sense. 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgplmiQx2kLCa.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On 10/29/10 1:03 PM, Markos Chandras wrote: 1) I want to drop the warning message located on profile.bashrc files e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc It is more than obvious what this profile is for so I don't think this message makes any sense. ewarn This profile has not been tested thoroughly and is not considered to be ewarn a supported server profile at this time. For a supported server The above is definitely not obvious. Is this documented in any other place? ewarn the software being used on the server. This profile should also be used ewarn if you require GCC 4.1 or Glibc 2.4 support. If you don't know if this That too. By the way, I think there was some way to mark a profile as development, unsupported, or something like that. 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap Sounds good (I'm not using a server profile though). signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 01:18:14PM +0200, Paweł Hajdan, Jr. wrote: On 10/29/10 1:03 PM, Markos Chandras wrote: 1) I want to drop the warning message located on profile.bashrc files e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc It is more than obvious what this profile is for so I don't think this message makes any sense. ewarn This profile has not been tested thoroughly and is not considered to be ewarn a supported server profile at this time. For a supported server The above is definitely not obvious. Is this documented in any other place? This is there for years. You think that anyone is working on that in order to verify whether it is a *stable* server profile or not? I use it since the very beginning on my servers and I say that it works! ewarn the software being used on the server. This profile should also be used ewarn if you require GCC 4.1 or Glibc 2.4 support. If you don't know if this That too. I use the latest stable for GCC+Glibc and never had an issue. Maybe some people are confusing the server profiles with the hardened one? By the way, I think there was some way to mark a profile as development, unsupported, or something like that. It's been in this state for years so I do not expect someone to actually working on that 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap Sounds good (I'm not using a server profile though). -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpNu2r4IIumC.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On 10/29/10 1:24 PM, Markos Chandras wrote: On Fri, Oct 29, 2010 at 01:18:14PM +0200, Paweł Hajdan, Jr. wrote: ewarn This profile has not been tested thoroughly and is not considered to be ewarn a supported server profile at this time. For a supported server If the above is no longer true you can safely ignore my earlier comments. :-D Actually, removing the no-longer-true message sounds good. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Changes in server profiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi. On 29-10-2010 11:03, Markos Chandras wrote: Hi I don't know how many of you are using these profiles. I would like to propose a couple of changes 1) I want to drop the warning message located on profile.bashrc files e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc It is more than obvious what this profile is for so I don't think this message makes any sense. I've always taken the message about the server profiles not being properly tested as a warning that anyone wanting to run a secure server profile should use one of the hardened profiles. If so, I'd leave that warning alone until we get enough people working on the server profiles so we can make any promises about it. 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap Although one can install a server without apache or ldap, I'd say the server profile seems the natural choice to have them enabled. If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE=-apache2 -ldap when required and I don't use the server profiles, I don't really have a strong opinion about this. - -- Regards, Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMyrfMAAoJEC8ZTXQF1qEP1AMQANVKK4f1T041WrHMJ7gXM4sI hEhoH25GkoxjEEztxdaQ7TI+fxPRqbAHv6AWYNsTd7C6c0RwgTQa8TwNATvmWdCT tyTge9SWO1lubiwdNUu5AoamZkzyvWibK5hwP6cd/4OWP02aFZ/BYICeL5G3IQ1I YBXwjzf6f6Nyae8/SKCQalU0Zlse1Cx6A58siS2Uqz63DqPglQqhiN10PB4S496y fvA84h8B0FUtexFn8Ho0nFVHh5Lea6qo4YZfhDemjMSio9daPMfcAK63za5M/vq+ AEjLOmFuj5yg3hppE+5tqc4R+Qt3mDklRHT/p3tdhMTgw0aXHSA/23NSqdKs7NTK 4w/HJ+k5S5BXUUrb3VjNByO5vOKm7A4ROLBAuDZFgu/dah3A3OwtoolEEooWMHDG Bgo4aRX0cvNGTdVFnUQp7aDO/idi61ONV/G9cqPsl5nmD0K/1JhujLmR9oU26ctk sEv/ZxAbUWBYiPx08y6u7lm2g2uUnC0VmJS6rLeHKpp501I8ulTuNRlc1U8EvmPn aQHLG+6IvBpifFml3nDIG64LwsXqkEmwc67vcHvYRJqyzcxyHkORl2qTH19zsV1B PAa9bN9jRYssdLvDLdsrBc1S3LSGftWihu5ITwkdf3DK6uo7UUViSeesiESsP0sa +maI98w1ehWNX2I8RZ7l =fHNt -END PGP SIGNATURE-
Re: [gentoo-dev] Changes in server profiles
On 29.10.2010 15.02, Jorge Manuel B. S. Vicetto wrote: 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap Although one can install a server without apache or ldap, I'd say the server profile seems the natural choice to have them enabled. If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE=-apache2 -ldap when required and I don't use the server profiles, I don't really have a strong opinion about this. And enabling a use flag should be question of is it wanted when a package actually support those flags. On a server when you are installing a package with a apache use flag it's certainly possible to you would like to have it enabled more often than not. Regards, Petteri
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 12:02:20PM +, Jorge Manuel B. S. Vicetto wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi. On 29-10-2010 11:03, Markos Chandras wrote: Hi I don't know how many of you are using these profiles. I would like to propose a couple of changes 1) I want to drop the warning message located on profile.bashrc files e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc It is more than obvious what this profile is for so I don't think this message makes any sense. I've always taken the message about the server profiles not being properly tested as a warning that anyone wanting to run a secure server profile should use one of the hardened profiles. But isn't that obvious? How is server profiles related to hardened anyway? Anyway, this can stay. The rest about GCC and Glibc I think is useless If so, I'd leave that warning alone until we get enough people working on the server profiles so we can make any promises about it. How many? Work on what actually? It is just a profile with minimal use flags. There is nothing to work on :-/ I don't understand that. Tell me which areas of server profile need more attention so I can understand what are you talking about 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap Although one can install a server without apache or ldap, I'd say the server profile seems the natural choice to have them enabled. So you assume that the most common server configuration is for active directory or web hosting If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE=-apache2 -ldap when required and I don't use the server profiles, I don't really have a strong opinion about this. Same for USE=apache2 ldap on make.conf. That is not a valid argument :) - -- Regards, Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMyrfMAAoJEC8ZTXQF1qEP1AMQANVKK4f1T041WrHMJ7gXM4sI hEhoH25GkoxjEEztxdaQ7TI+fxPRqbAHv6AWYNsTd7C6c0RwgTQa8TwNATvmWdCT tyTge9SWO1lubiwdNUu5AoamZkzyvWibK5hwP6cd/4OWP02aFZ/BYICeL5G3IQ1I YBXwjzf6f6Nyae8/SKCQalU0Zlse1Cx6A58siS2Uqz63DqPglQqhiN10PB4S496y fvA84h8B0FUtexFn8Ho0nFVHh5Lea6qo4YZfhDemjMSio9daPMfcAK63za5M/vq+ AEjLOmFuj5yg3hppE+5tqc4R+Qt3mDklRHT/p3tdhMTgw0aXHSA/23NSqdKs7NTK 4w/HJ+k5S5BXUUrb3VjNByO5vOKm7A4ROLBAuDZFgu/dah3A3OwtoolEEooWMHDG Bgo4aRX0cvNGTdVFnUQp7aDO/idi61ONV/G9cqPsl5nmD0K/1JhujLmR9oU26ctk sEv/ZxAbUWBYiPx08y6u7lm2g2uUnC0VmJS6rLeHKpp501I8ulTuNRlc1U8EvmPn aQHLG+6IvBpifFml3nDIG64LwsXqkEmwc67vcHvYRJqyzcxyHkORl2qTH19zsV1B PAa9bN9jRYssdLvDLdsrBc1S3LSGftWihu5ITwkdf3DK6uo7UUViSeesiESsP0sa +maI98w1ehWNX2I8RZ7l =fHNt -END PGP SIGNATURE- -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgp1ka2LRRcJo.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
Am 29.10.2010 14:13, schrieb Petteri Räty: On 29.10.2010 15.02, Jorge Manuel B. S. Vicetto wrote: 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap Although one can install a server without apache or ldap, I'd say the server profile seems the natural choice to have them enabled. If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE=-apache2 -ldap when required and I don't use the server profiles, I don't really have a strong opinion about this. And enabling a use flag should be question of is it wanted when a package actually support those flags. On a server when you are installing a package with a apache use flag it's certainly possible to you would like to have it enabled more often than not. Regards, Petteri Which raises the question, if those people, who want to install a minimal server will mostly use apache or something different. And especially for minimal setups, i dont think that apache will be the first choice, so i agree with the removal of those USE flags from default IUSE. The profile is intended to have a minimal set of flags, i would call apache an additional optional flag, not a default option for minimal server setups. -- Thomas Sachau Gentoo Linux Developer signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 11:46 AM, Thomas Sachau to...@gentoo.org wrote: Am 29.10.2010 14:13, schrieb Petteri Räty: On 29.10.2010 15.02, Jorge Manuel B. S. Vicetto wrote: 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap Although one can install a server without apache or ldap, I'd say the server profile seems the natural choice to have them enabled. If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE=-apache2 -ldap when required and I don't use the server profiles, I don't really have a strong opinion about this. And enabling a use flag should be question of is it wanted when a package actually support those flags. On a server when you are installing a package with a apache use flag it's certainly possible to you would like to have it enabled more often than not. Regards, Petteri Which raises the question, if those people, who want to install a minimal server will mostly use apache or something different. And especially for minimal setups, i dont think that apache will be the first choice, so i agree with the removal of those USE flags from default IUSE. The profile is intended to have a minimal set of flags, i would call apache an additional optional flag, not a default option for minimal server setups. Totally agreed! Best regards. -- Rafael Goncalves Martins Gentoo Linux developer http://rafaelmartins.eng.br/
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 4:23 PM, Rafael Goncalves Martins rafaelmart...@gentoo.org wrote: On Fri, Oct 29, 2010 at 11:46 AM, Thomas Sachau to...@gentoo.org wrote: Am 29.10.2010 14:13, schrieb Petteri Räty: On 29.10.2010 15.02, Jorge Manuel B. S. Vicetto wrote: 2) Furthermore I would like to drop the following use flags from default IUSE -apache2 -ldap A minimal server installation does requires neither apache2 nor ldap Although one can install a server without apache or ldap, I'd say the server profile seems the natural choice to have them enabled. If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE=-apache2 -ldap when required and I don't use the server profiles, I don't really have a strong opinion about this. And enabling a use flag should be question of is it wanted when a package actually support those flags. On a server when you are installing a package with a apache use flag it's certainly possible to you would like to have it enabled more often than not. Regards, Petteri Which raises the question, if those people, who want to install a minimal server will mostly use apache or something different. And especially for minimal setups, i dont think that apache will be the first choice, so i agree with the removal of those USE flags from default IUSE. The profile is intended to have a minimal set of flags, i would call apache an additional optional flag, not a default option for minimal server setups. Totally agreed! Best regards. -- Rafael Goncalves Martins Gentoo Linux developer http://rafaelmartins.eng.br/ I use the server profile and I would also like a minimal set of use flags. I don't think you need to force sysadmins, that know what they want, to have those flags. Regards, Kfir
Re: [gentoo-dev] Changes in server profiles
On Fri, Oct 29, 2010 at 09:11:33AM -0700, Alec Warner wrote: 'Anyone wanting to run a secure server profile should use hardened' tends to imply that the server profile is insecure which is probably not what you intend to convey to users. Hardened is likely more secure (which is all we can really say authoritatively...) I don't think saying that *somewhere* is a bad idea. The profile.bashrc is likely not the best place however. I understand your concern and why someone might get confused about the server/hardened thingie however I think that polluting this profile in this way is not acceptable. Furthermore the message about glibc-2.4 and gcc-4.1 looks rather obsolete. At least this part has to be removed/changed If so, I'd leave that warning alone until we get enough people working on the server profiles so we can make any promises about it. How many? Work on what actually? It is just a profile with minimal use flags. There is nothing to work on :-/ I don't understand that. Tell me which areas of server profile need more attention so I can understand what are you talking about If it is a profile with minimal use flags why not call it minimal? :) Cause 'server' is minimal by default. If we had the statistics for it, we could check how many people have apache installed with that profile vs not having it. As there's nothing preventing one from having USE=-apache2 -ldap when required and I don't use the server profiles, I don't really have a strong opinion about this. Same for USE=apache2 ldap on make.conf. That is not a valid argument :) 1) I don't believe anyone has any clear data on what flags are enabled or disabled by users. 2) Each of us users the server profile differently. 3) Each of us has a different idea of what is involved with running a server. It is difficult to take the argument in any strong direction due to these types of problems (it is an obvious bikeshed..) I will instead try a different tact. I think it is advantageous to reduce the number of default flags. There is a question of what will break though; so that is the question I pose to you. Can I install a machine with the server profile and USE=-ldap, but still get ldap + pam working? Can I install a machine with the server profile and USE=-apache, but still get apache + php working? apache + rails? How many packages support each USE flag? How many of those packages have IUSE defaults for +ldap or +apache already? First of all, relying on specific package use flag choices is wrong by default. What if these package change their default use flags some day? Are you sure you want to engineer your profiles' behavior based on specific packages? Using these flags by default you imply that the server profile is optimised for web hosting/active directory usage. So why don't you add ipv6, snmp, vhosts by default too, to include all those firewall/router hosts running Gentoo? The server profile *imho* should have as few as possible USE flags. Users who use this profile should be well educated on how to add more USE flags if needed. -- Markos Chandras (hwoarang) Gentoo Linux Developer Web: http://hwoarang.silverarrow.org Key ID: 441AC410 Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410 pgpFeSJRtjh2I.pgp Description: PGP signature
Re: [gentoo-dev] Changes in server profiles
On 10/29/10 6:29 PM, Markos Chandras wrote: Furthermore the message about glibc-2.4 and gcc-4.1 looks rather obsolete. At least this part has to be removed/changed Fine for me. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Changes in server profiles
On 15:46 Fri 29 Oct , Thomas Sachau wrote: Which raises the question, if those people, who want to install a minimal server will mostly use apache or something different. And especially for minimal setups, i dont think that apache will be the first choice, so i agree with the removal of those USE flags from default IUSE. The profile is intended to have a minimal set of flags, i would call apache an additional optional flag, not a default option for minimal server setups. I'm not sure when this transition happened, as profile USE flags have traditionally been a reasonable default set rather than a minimal set. This gives people who don't have much experience with Gentoo a decent chance at getting a working system on their first try. For people who have more experience, it's not exactly difficult to change things. -- Thanks, Donnie Donnie Berkholz Sr. Developer, Gentoo Linux Blog: http://dberkholz.wordpress.com pgpQAHDuZpo80.pgp Description: PGP signature
