IRC Logs for #crux-devel Monday, 2014-07-21

jaegerdon't push anything to opt at the moment if you can avoid it, I accidentally overwrote one of the git hooks00:41
jaegerok, undid that bit of stupid, sorry00:44
jaegercore, opt, xorg, contrib, and compat-32 should all now be using the revised hook scripts00:49
jaegerAnyone think jue would mind me updating opt/jre?01:49
*** mechaniputer has joined #crux-devel02:09
*** mavrick61 has quit IRC02:43
*** mavrick61 has joined #crux-devel02:44
*** Workster has joined #crux-devel03:14
Worksterjre and jdk or just jre?03:18
Workstershould we be on 8u series now? or 7u6503:19
*** mechaniputer has quit IRC04:18
*** mike_k has joined #crux-devel06:57
*** mike_k has quit IRC12:06
jaeger8's still too new in my opinion12:07
*** mike_k has joined #crux-devel12:15
*** mike_k has quit IRC14:15
*** mechaniputer has joined #crux-devel14:27
*** mechaniputer has quit IRC14:31
*** deus_ex has quit IRC14:37
*** deus_ex has joined #crux-devel14:38
*** mechaniputer has joined #crux-devel14:39
jaegerhrmm, qt4 doesn't build too well with distcc14:47
*** mike_k has joined #crux-devel14:49
Amnesiajaeger/frinst, in crux's current shape, it's missing out multiple essential protections against memory corruptions14:50
Amnesiathese protections can be added using a couple of CFLAGS14:50
AmnesiaAre there any plans to change them?14:51
AmnesiaI could try and recompile my system using the hardened toolchain, but I guess that'd take a while since I haven't got that much horsepower14:51
Amnesiaso is one of you by any chance interested to do some research on it aswell?14:51
jaegerNot at present. The idea is to stay as generic as possible. Any user is of course welcome to harden as much as they like but I'm not in favor of doing that by default for the distro releases14:52
jaegerWith that said, to which specific CFLAGS are you referring?14:52
Amnesiastack-protector{-strong} and _FORTIFY_SOURCE14:53
AmnesiaI definitly like the "as generic as possible" approach, but does that still count when that means we're shipping something that's essentially insecure?14:54
Amnesiaobviously none of the protections are 100% effective, since most of the protections can be circumvented, but they definitly make the process of exploitation a lot harder14:54
Amnesiausing only -O2 -march=x86-64 doesn't even cover stack canaries, which makes it childs play to exploit multiple vulnerabilities14:55
jaegerPersonally I'm *extremely* wary of hardening by default, I had huge problems with it using gentoo at my last job and wasted tons of time trying to fix/work around the issues14:55
Amnesiawell, stack-protector isn't that intrusive14:56
Amnesiabtw, we could try and rebuild everything using some generic hardening features right?14:56
Amnesia <- those defaults are kinda sane imo14:56
jaegergotta go AFK a bit to help a coworker, will be back14:57
frinnstgood luck building stuff like glibc with it enabled15:19
frinnstI too like to avoid making such decisions for users. it should be up to the user to build / run stuff how they like15:20
frinnstour job is to create an iso that works and maintain ports. If we were a binary distro the debate would be interesting15:21
frinnst.. imho ofcourse15:21
Amnesiafrinnst: hm, from a security perspective it's a nightmare:/..15:25
Amnesiabtw, most of it can be grabbed from other major distributions15:27
Amnesia(whilst maintaing the KISS principle and generic configs)15:27
Amnesiaand regarding glibc, obviously there're exceptions15:28
AmnesiaIt's worth a shot right..?15:31
jaegerstill semi-AFK but I have a suggestion: try this on your machine, see if you can bootstrap an ISO properly and build some of the popular stuff like firefox, qt4, or whatever16:15
teK__Amnesia: I suggest creating a wiki page on that topic16:17
mechaniputerI'm not a dev, but as a user, I second the wiki page idea. I don't know as much as I'd like to about this stuff.16:18
*** mechaniputer has quit IRC16:31
jaegerI do think it's an interesting topic. I'm just not sure it's best for the generic install. I'm willing to give it the benefit of an investigation, at least.17:56
frinnstI will probably need to be convinced it's a useful feature for the ISO17:58
frinnstand pkgmk.conf17:58
jaegerI'm for security in general but it needs to be transparent and not cause a lot of hacks or workarounds in ports18:04
frinnstim all for adding -no-stack-protection or whatever the flag is to some ports that dont work with it, sure. But i dont really think enabling it by default is the right choice18:11
frinnstit should be up to the user to set their own cflags18:11
jaegerIt would help to know the exact scope of the possible exploit, perhaps18:12
teK__we can have a wiki page, see how many users use the flags with whatever success and then decide for an official recommendation or put it in one or another form into pkgmk.conf.18:39
jaegerseems popular, at least19:04
*** mechaniputer has joined #crux-devel19:58
Amnesiafrinnst: stack protection goes back to the 90s...:p20:16
Amnesiais there by any chance someone that's got the option to use distributed compilation?20:16
teK__Romster wrote a whole wiki page on distcc20:17
AmnesiaI meant, the hardware20:18
teK__just me and my tiny laptop here20:19
Amnesiasame here20:20
jaegerask Romster, he has like 87 core 2 duos or something these days20:20
AmnesiaI actually think 95% will compile just fine with hardended flags20:23
*** mike_k has quit IRC21:04
*** mechaniputer has quit IRC21:18
*** mechaniputer has joined #crux-devel21:19
*** mechaniputer has quit IRC21:34
Romsteractually 3 core 2 duos so far and a xeon quad core and two phenom II's quad cores22:52
jaegerwhich is very similar to 87 core 2 duos if you squint :D23:09
Worksteri wish i had that many23:13
*** mechaniputer has joined #crux-devel23:55

Generated by 2.11.0 by Marius Gedminas - find it at!