Comments on: Gentoo Hardened for the win http://www.mindstab.net/wordpress/archives/224 Various projects and musings Fri, 24 Jul 2009 03:24:19 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Dan Ballard http://www.mindstab.net/wordpress/archives/224/comment-page-1#comment-19422 Dan Ballard Fri, 10 Aug 2007 18:27:26 +0000 http://www.mindstab.net/wordpress/archives/224#comment-19422 True, but if I'm still recompiling why not use Gentoo. Quick research at least indicates they do update ports with patches as well as core, so thats good, but again, it looks like recompiling, no binary updates. I was mostly just wishing for a distro with the security of OpenBSD or maybe Gentoo Hardened, but that was binary and had binary security updates, to ease old or small machines. True, but if I’m still recompiling why not use Gentoo. Quick research at least indicates they do update ports with patches as well as core, so thats good, but again, it looks like recompiling, no binary updates.

I was mostly just wishing for a distro with the security of OpenBSD or maybe Gentoo Hardened, but that was binary and had binary security updates, to ease old or small machines.

]]> By: gregf http://www.mindstab.net/wordpress/archives/224/comment-page-1#comment-19419 gregf Fri, 10 Aug 2007 13:52:05 +0000 http://www.mindstab.net/wordpress/archives/224#comment-19419 Every security update does not require you to compile the entire src tree. You can simple recompile the specific program inside the source tree that needs updating. For example cd /usr/src/usr.bin/file make obj make cleandir make depend make make install No need to recompile your entire tree and reboot. If it was a issue with the kernel then yes there would be a lot more compiling and a reboot. That's not something that happens often though. Every security update does not require you to compile the entire src tree. You can simple recompile the specific program inside the source tree that needs updating. For example

cd /usr/src/usr.bin/file
make obj
make cleandir
make depend
make
make install

No need to recompile your entire tree and reboot. If it was a issue with the kernel then yes there would be a lot more compiling and a reboot. That’s not something that happens often though.

]]> By: Dan Ballard http://www.mindstab.net/wordpress/archives/224/comment-page-1#comment-19414 Dan Ballard Fri, 10 Aug 2007 06:41:37 +0000 http://www.mindstab.net/wordpress/archives/224#comment-19414 Sorry, I was lazy. It still doesn't change the fact that the security updates are patches to source only or updated CVS so recompiling is required. And I'd like a longer support cycle than a year. I have systems with uptimes longer than a year, kind of a waste to turn them off just to reinstall an OS. Better to avoid that kind of pointless downtime if it can be done. Sorry, I was lazy. It still doesn’t change the fact that the security updates are patches to source only or updated CVS so recompiling is required. And I’d like a longer support cycle than a year. I have systems with uptimes longer than a year, kind of a waste to turn them off just to reinstall an OS. Better to avoid that kind of pointless downtime if it can be done.

]]> By: Nate MacKenzie http://www.mindstab.net/wordpress/archives/224/comment-page-1#comment-19407 Nate MacKenzie Thu, 09 Aug 2007 22:59:15 +0000 http://www.mindstab.net/wordpress/archives/224#comment-19407 No, OpenBSD has a one year support cycle, every six months a new release is made available and the release before that stays supported, while the release that is now two releases behind the current release, ends it's support. So while 4.3 comes out, 4.1 ends it's support, one year after it's release. This isn't that hard to find out, why didn't you? No, OpenBSD has a one year support cycle, every six months a new release is made available and the release before that stays supported, while the release that is now two releases behind the current release, ends it’s support. So while 4.3 comes out, 4.1 ends it’s support, one year after it’s release. This isn’t that hard to find out, why didn’t you?

]]> By: Ciaran McCreesh http://www.mindstab.net/wordpress/archives/224/comment-page-1#comment-19406 Ciaran McCreesh Thu, 09 Aug 2007 21:40:10 +0000 http://www.mindstab.net/wordpress/archives/224#comment-19406 Unfortunately, all SSP does is make certain legitimate C++ programs crash when given legitimate input, thus exposing you to new DoS attacks. It does not make your system any more secure, and it does not make security holes disappear. Unfortunately, all SSP does is make certain legitimate C++ programs crash when given legitimate input, thus exposing you to new DoS attacks. It does not make your system any more secure, and it does not make security holes disappear.

]]>