RFC: Removing -unicode from all hardened profiles
Hi everyone,
I'd like to remove USE="-unicode" from make.defaults at the root level of all hardened profiles. The request came from jmbsvicetto because he required it for the hardened stages to build, but to be honest, I don't know why we have it disabled in hardened and its probably leftover cruft from days gone by. Any reason not to, else its gone. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535 |
RFC: Removing -unicode from all hardened profiles
Anthony,
All my hardened boxes have Unicode enabled by hand. Everything is fine. I can't understand why it is disabled too. Sent from my iPhone On 21/04/2012, at 08:05, "Anthony G. Basile" <blueness@gentoo.org> wrote: > Hi everyone, > > I'd like to remove USE="-unicode" from make.defaults at the root level of all hardened profiles. The request came from jmbsvicetto because he required it for the hardened stages to build, but to be honest, I don't know why we have it disabled in hardened and its probably leftover cruft from days gone by. > > Any reason not to, else its gone. > > > -- > Anthony G. Basile, Ph.D. > Gentoo Linux Developer [Hardened] > E-Mail : blueness@gentoo.org > GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 > GnuPG ID : D0455535 > |
RFC: Removing -unicode from all hardened profiles
El 21/04/12 16:55, Vinícius Ferrão escribió:
> Anthony, > > All my hardened boxes have Unicode enabled by hand. Everything is fine. I can't understand why it is disabled too. Same here blueness, for me it can go and nobody will notice :D |
RFC: Removing -unicode from all hardened profiles
On Sat, 21 Apr 2012 18:13:45 +0200
"Francisco Blas Izquierdo Riera (klondike)" <klondike@gentoo.org> wrote: > El 21/04/12 16:55, Vinícius Ferrão escribió: > > Anthony, > > > > All my hardened boxes have Unicode enabled by hand. Everything is > > fine. I can't understand why it is disabled too. > Same here blueness, for me it can go and nobody will notice :D > I have had unicode enabled for a long time, both my mail server understands it (so it can filter spam) and my laptop. Both have had no issues. -- Matthew Thode (prometheanfire) |
RFC: Removing -unicode from all hardened profiles
On 04/21/2012 07:05 AM, Anthony G. Basile wrote:
> Hi everyone, > > I'd like to remove USE="-unicode" from make.defaults at the root level > of all hardened profiles. The request came from jmbsvicetto because he > required it for the hardened stages to build, but to be honest, I don't > know why we have it disabled in hardened and its probably leftover cruft > from days gone by. > > Any reason not to, else its gone. > > A few of our servers have it enabled (http, mail), but others don't (vpn, firewall, nagios). I think the hardened profile should default to having stuff disabled, unless there's a reason to enable it. Every little bit increases your surface area. But I'm sure jmbsvicetto knows what he's doing, so that principle may not apply here. If it's required, turn it on. |
RFC: Removing -unicode from all hardened profiles
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 21.04.2012 13:05, Anthony G. Basile wrote: > Hi everyone, > > I'd like to remove USE="-unicode" from make.defaults at the root > level of all hardened profiles. The request came from jmbsvicetto > because he required it for the hardened stages to build, but to be > honest, I don't know why we have it disabled in hardened and its > probably leftover cruft from days gone by. > > Any reason not to, else its gone. > > Hi, unicode works fine for me on several hardened systems. I don't think, that there would be real problems. But to make it sure: why don't you write a news item (eselect news ... - -thingy) that announces the switch. Anyone who needs -unicode for some reason would have the chance to update hers or his make.conf (maybe even to go with "never change a working system"). With kind regards, Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPkwalAAoJEJwwOFaNFkYcolAIALfsFrerdJ Tl7pt83jN4Mdhf 0S+7yQ9Bl8rPV2z0o6G0MDoCz6pNzNVg1IgD7OSnQGxz7St9qz SROg8HThTaVsh0 fXNvNUTjXG68DUUmy4GRsHM7KdBhVVcAtQFeXbbXzDIVglnAs2 cU85dFqSVT6xaR tk+wRZ484i7q02FZkMFZ4t4VgfYPAWOElGuxpyFgNLGTU1tImT rBk/OpmL9iHFtz midgFtVcBA3JN9wb/YC4Dk6GSrrfWYuIUIxSsD2oaz5mG2S+Oj1FnHrua/19huyg x0RhQ6TkZZmYvtt3N1//wsE2RtooIKEyQ5S9wOr95zz5CBt0lW79Nfa5AZzI+cI= =0wtO -----END PGP SIGNATURE----- |
RFC: Removing -unicode from all hardened profiles
On Sat, Apr 21, 2012 at 09:12:37PM +0200, Hinnerk van Bruinehsen wrote:
> unicode works fine for me on several hardened systems. I don't think, > that there would be real problems. > But to make it sure: why don't you write a news item (eselect news ... > - -thingy) that announces the switch. > Anyone who needs -unicode for some reason would have the chance to > update hers or his make.conf (maybe even to go with "never change a > working system"). I don't think it is necessary to use a news item. These are generally for when things might break. A change in USE flags that add in optional support generally doesn't break things (of course, there are always exceptions). Users that run their upgrades with --new-use or --changed-use are already expecting USE flag changes to occur (otherwise they wouldn't mention these switches with emerge). If you notice that there are USE flags being enabled or disabled that you rather don't, just edit /etc/make.conf and live happily ever after. Although there is much to say about "minimal installation" for servers, this is not always something that we, from a distribution point of view, can enforce. Some features, and I think unicode is one of them, are well capable of being supported on a default server. Especially with more and more users and organizations adopting unicode as the default character format rather than the older ISO-* ones. Wkr, Sven Vermeulen |
RFC: Removing -unicode from all hardened profiles
On 04/21/2012 07:05 AM, Anthony G. Basile wrote:
Hi everyone, I'd like to remove USE="-unicode" from make.defaults at the root level of all hardened profiles. The request came from jmbsvicetto because he required it for the hardened stages to build, but to be honest, I don't know why we have it disabled in hardened and its probably leftover cruft from days gone by. Any reason not to, else its gone. Okay, I will remove it in a minute. Answering some points: 1) Not a news item. News items IMHO are for things that require significant user intervention, eg. when I changed up the entire profile structure and the user had to eselect profile. 2) I'm only changing the default, so for those who still want unicode off, you can still do USE=-unicode in you make.conf 3) I agree that hardened should be mostly off by default. Eg. ipv6 is off by default. But as pressure mounts the switch to on by default may have to occur as it has now with unicode and will happen some day with ipv6. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535 |
RFC: Removing -unicode from all hardened profiles
On Sun, 22 Apr 2012 07:26:19 -0400
Anthony G. Basile wrote: > 3) I agree that hardened should be mostly off by default. Eg. ipv6 is > off by default. But as pressure mounts the switch to on by default may > have to occur as it has now with unicode and will happen some day with ipv6. Good stuff. There was a nasty input sanitisation avoiding bug in PHP that only affected linux boxes with unicode enabled terminals. Maybe these bug types have something to do with it. I'd be in two minds, personally I can't remember using unicode on a terminal and you could use base64 as a workaround. Many many will use it though, so the default should be enabled. |
RFC: Removing -unicode from all hardened profiles
On 23/04/2012 19:17, Kevin Chadwick wrote:
On Sun, 22 Apr 2012 07:26:19 -0400 Anthony G. Basile wrote: 3) I agree that hardened should be mostly off by default. Eg. ipv6 is off by default. But as pressure mounts the switch to on by default may have to occur as it has now with unicode and will happen some day with ipv6. Good stuff. There was a nasty input sanitisation avoiding bug in PHP that only affected linux boxes with unicode enabled terminals. Maybe these bug types have something to do with it. I'd be in two minds, personally I can't remember using unicode on a terminal and you could use base64 as a workaround. Many many will use it though, so the default should be enabled. Equally I would be thinking that we can find some bugs due to unicode being off? Whether they would cause "security" failures is another matter. It's probably on the tipping point that ipv6/unicode needs decent testing Ed W |
| All times are GMT. The time now is 09:56 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.