FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 04-21-2012, 11:05 AM
"Anthony G. Basile"
 
Default RFC: Removing -unicode from all hardened profiles

Hi everyone,

I'd like to remove USE="-unicode" from make.defaults at the root level
of all hardened profiles. The request came from jmbsvicetto because he
required it for the hardened stages to build, but to be honest, I don't
know why we have it disabled in hardened and its probably leftover cruft
from days gone by.


Any reason not to, else its gone.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 04-21-2012, 02:55 PM
Vinícius Ferrão
 
Default RFC: Removing -unicode from all hardened profiles

Anthony,

All my hardened boxes have Unicode enabled by hand. Everything is fine. I can't understand why it is disabled too.

Sent from my iPhone

On 21/04/2012, at 08:05, "Anthony G. Basile" <blueness@gentoo.org> wrote:

> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root level of all hardened profiles. The request came from jmbsvicetto because he required it for the hardened stages to build, but to be honest, I don't know why we have it disabled in hardened and its probably leftover cruft from days gone by.
>
> Any reason not to, else its gone.
>
>
> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail : blueness@gentoo.org
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
> GnuPG ID : D0455535
>
 
Old 04-21-2012, 04:13 PM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default RFC: Removing -unicode from all hardened profiles

El 21/04/12 16:55, Vinícius Ferrão escribió:
> Anthony,
>
> All my hardened boxes have Unicode enabled by hand. Everything is fine. I can't understand why it is disabled too.
Same here blueness, for me it can go and nobody will notice
 
Old 04-21-2012, 04:23 PM
Matthew Thode (prometheanfire)
 
Default RFC: Removing -unicode from all hardened profiles

On Sat, 21 Apr 2012 18:13:45 +0200
"Francisco Blas Izquierdo Riera (klondike)" <klondike@gentoo.org> wrote:

> El 21/04/12 16:55, Vinícius Ferrão escribió:
> > Anthony,
> >
> > All my hardened boxes have Unicode enabled by hand. Everything is
> > fine. I can't understand why it is disabled too.
> Same here blueness, for me it can go and nobody will notice
>

I have had unicode enabled for a long time, both my mail server
understands it (so it can filter spam) and my laptop. Both have had no
issues.

--
Matthew Thode (prometheanfire)
 
Old 04-21-2012, 06:25 PM
Michael Orlitzky
 
Default RFC: Removing -unicode from all hardened profiles

On 04/21/2012 07:05 AM, Anthony G. Basile wrote:
> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root level
> of all hardened profiles. The request came from jmbsvicetto because he
> required it for the hardened stages to build, but to be honest, I don't
> know why we have it disabled in hardened and its probably leftover cruft
> from days gone by.
>
> Any reason not to, else its gone.
>
>

A few of our servers have it enabled (http, mail), but others don't
(vpn, firewall, nagios).

I think the hardened profile should default to having stuff disabled,
unless there's a reason to enable it. Every little bit increases your
surface area.

But I'm sure jmbsvicetto knows what he's doing, so that principle may
not apply here. If it's required, turn it on.
 
Old 04-21-2012, 07:12 PM
Hinnerk van Bruinehsen
 
Default RFC: Removing -unicode from all hardened profiles

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21.04.2012 13:05, Anthony G. Basile wrote:
> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root
> level of all hardened profiles. The request came from jmbsvicetto
> because he required it for the hardened stages to build, but to be
> honest, I don't know why we have it disabled in hardened and its
> probably leftover cruft from days gone by.
>
> Any reason not to, else its gone.
>
>

Hi,

unicode works fine for me on several hardened systems. I don't think,
that there would be real problems.
But to make it sure: why don't you write a news item (eselect news ...
- -thingy) that announces the switch.
Anyone who needs -unicode for some reason would have the chance to
update hers or his make.conf (maybe even to go with "never change a
working system").

With kind regards,

Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPkwalAAoJEJwwOFaNFkYcolAIALfsFrerdJ Tl7pt83jN4Mdhf
0S+7yQ9Bl8rPV2z0o6G0MDoCz6pNzNVg1IgD7OSnQGxz7St9qz SROg8HThTaVsh0
fXNvNUTjXG68DUUmy4GRsHM7KdBhVVcAtQFeXbbXzDIVglnAs2 cU85dFqSVT6xaR
tk+wRZ484i7q02FZkMFZ4t4VgfYPAWOElGuxpyFgNLGTU1tImT rBk/OpmL9iHFtz
midgFtVcBA3JN9wb/YC4Dk6GSrrfWYuIUIxSsD2oaz5mG2S+Oj1FnHrua/19huyg
x0RhQ6TkZZmYvtt3N1//wsE2RtooIKEyQ5S9wOr95zz5CBt0lW79Nfa5AZzI+cI=
=0wtO
-----END PGP SIGNATURE-----
 
Old 04-21-2012, 07:32 PM
Sven Vermeulen
 
Default RFC: Removing -unicode from all hardened profiles

On Sat, Apr 21, 2012 at 09:12:37PM +0200, Hinnerk van Bruinehsen wrote:
> unicode works fine for me on several hardened systems. I don't think,
> that there would be real problems.
> But to make it sure: why don't you write a news item (eselect news ...
> - -thingy) that announces the switch.
> Anyone who needs -unicode for some reason would have the chance to
> update hers or his make.conf (maybe even to go with "never change a
> working system").

I don't think it is necessary to use a news item. These are generally for
when things might break. A change in USE flags that add in optional support
generally doesn't break things (of course, there are always exceptions).

Users that run their upgrades with --new-use or --changed-use are already
expecting USE flag changes to occur (otherwise they wouldn't mention these
switches with emerge). If you notice that there are USE flags being enabled
or disabled that you rather don't, just edit /etc/make.conf and live happily
ever after.

Although there is much to say about "minimal installation" for servers, this
is not always something that we, from a distribution point of view, can
enforce. Some features, and I think unicode is one of them, are well capable
of being supported on a default server. Especially with more and more users
and organizations adopting unicode as the default character format rather
than the older ISO-* ones.

Wkr,
Sven Vermeulen
 
Old 04-22-2012, 11:26 AM
"Anthony G. Basile"
 
Default RFC: Removing -unicode from all hardened profiles

On 04/21/2012 07:05 AM, Anthony G. Basile wrote:

Hi everyone,

I'd like to remove USE="-unicode" from make.defaults at the root level
of all hardened profiles. The request came from jmbsvicetto because he
required it for the hardened stages to build, but to be honest, I don't
know why we have it disabled in hardened and its probably leftover cruft
from days gone by.

Any reason not to, else its gone.




Okay, I will remove it in a minute. Answering some points:

1) Not a news item. News items IMHO are for things that require
significant user intervention, eg. when I changed up the entire profile
structure and the user had to eselect profile.


2) I'm only changing the default, so for those who still want unicode
off, you can still do USE=-unicode in you make.conf


3) I agree that hardened should be mostly off by default. Eg. ipv6 is
off by default. But as pressure mounts the switch to on by default may
have to occur as it has now with unicode and will happen some day with ipv6.



--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 04-23-2012, 06:17 PM
Kevin Chadwick
 
Default RFC: Removing -unicode from all hardened profiles

On Sun, 22 Apr 2012 07:26:19 -0400
Anthony G. Basile wrote:

> 3) I agree that hardened should be mostly off by default. Eg. ipv6 is
> off by default. But as pressure mounts the switch to on by default may
> have to occur as it has now with unicode and will happen some day with ipv6.

Good stuff.

There was a nasty input sanitisation avoiding bug in PHP that only
affected linux boxes with unicode enabled terminals. Maybe these bug
types have something to do with it.

I'd be in two minds, personally I can't remember using unicode on a
terminal and you could use base64 as a workaround. Many many will use it
though, so the default should be enabled.
 
Old 04-29-2012, 03:07 PM
Ed W
 
Default RFC: Removing -unicode from all hardened profiles

On 23/04/2012 19:17, Kevin Chadwick wrote:

On Sun, 22 Apr 2012 07:26:19 -0400
Anthony G. Basile wrote:


3) I agree that hardened should be mostly off by default. Eg. ipv6 is
off by default. But as pressure mounts the switch to on by default may
have to occur as it has now with unicode and will happen some day with ipv6.

Good stuff.

There was a nasty input sanitisation avoiding bug in PHP that only
affected linux boxes with unicode enabled terminals. Maybe these bug
types have something to do with it.

I'd be in two minds, personally I can't remember using unicode on a
terminal and you could use base64 as a workaround. Many many will use it
though, so the default should be enabled.



Equally I would be thinking that we can find some bugs due to unicode
being off? Whether they would cause "security" failures is another matter.


It's probably on the tipping point that ipv6/unicode needs decent testing

Ed W
 

Thread Tools




All times are GMT. The time now is 03:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org