| View previous topic :: View next topic |
| Author |
Message |
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3755
|
 Posted: Tue Aug 13, 2024 7:24 pm Post subject: |
 |
|
Bugzilla[EDIT] fixed 
Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4845
Location: Bavaria
|
| Posted: Thu Aug 15, 2024 11:57 am Post subject: |
|
|
| kimchi_sg wrote: | | And the system set is half the size compared to the same if I used default openrc+plasma profile |
I am also a friend of minimal systems; if only because it also increases security (programs that do not exist cannot contain a security-critical bug), because I am a bit paranoid about security. That is exactly why I am writing here.
I go the way that I use a plasma-profile and deactivate all use flags that I don't need, such as:
| Code: | | USE="-accessibility -activities -bluetooth -gstreamer -gtk -gtk3 -haptic -initramfs -ipv6 -lvm -modemmanager -networkmanager -phonon -ppp -pulseaudio -screencast -semantic-desktop -thin -thumbnail -wext -wifi -wireless" |
I then compared your use flags with mine. Most of them are just support for various file formats (gif, mng, mp3, mp4, mpeg, pdf, svg, tiff; some I even added: matroska, openexr, opus, theora, webp) and of course you can turn them off if they are not needed. Another one only affects the speed of compiling qtwebengine (jumbo-build).
But what made me wonder are use-flags that increase security:
These three are already hard activated by the profile - have you activated this too?
| Code: | | sys-devel/gcc-13.3.1_p20240614:13::gentoo USE="... (default-stack-clash-protection) (default-znow) ... (pie) ..." |
A different use flag only makes sense with very modern CPUs - but it does not interfere:
| Code: | | sys-devel/gcc-13.3.1_p20240614:13::gentoo USE="cet ... |
| Code: | [+ D ] cet
sys-devel/gcc: Enable support for control flow hijacking protection. On amd64, this provides Intel Control Flow Enforcement Technology (CET). On arm64, this provides Branch Target Identification (BTI) and Pointer
Authentication Code (PAC) support. This is only effective on amd64 or arm64. Only provides benefits on newer CPUs. For Intel, the CPU must be at least as new as Tiger Lake. For AMD, it must be at least as new as
Zen 3. This is harmless on older CPUs, but provides no benefit either. |
"xattr" is also absolutely necessary for a hardened system.
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 929
Location: Romania
|
| Posted: Fri Aug 16, 2024 12:08 pm Post subject: |
|
|
| pietinger wrote: | Another one only affects the speed of compiling qtwebengine (jumbo-build).
|
This is an important note.
There are use flags than, when set, make things more minimal of faster.
Notably USE="mininal asm threads jumbo-build pgo"
And also USE=lto (I still set this, but the primary way for lto is adding -flto to CFLAGS and CXXFLAGS, which I also do)
And USE=jit, which is not always used just for optimization.
And probably others, e.g. USE=jemalloc for palemoon
The options above usually come with tradeoffs, which must be researched.
For example, USE=jumbo-build increases memory usage and sometimes causes builds to fail.
USE=pgo doubles build time, etc.
| pietinger wrote: |
"xattr" is also absolutely necessary for a hardened system. |
You mean acl?
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4845
Location: Bavaria
|
| Posted: Fri Aug 16, 2024 7:39 pm Post subject: |
|
|
| stefan11111 wrote: | | You mean acl? |
No, I have meant xattr ... what do you get if you do these queries ? ->
| Code: | ~ # ls- al /usr/bin/ping
-rwx--x--x 1 root root 89688 23. Mär 19:12 /usr/bin/ping
~ #
~ # getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep
~ #
~ # getfattr -m . -d /usr/bin/ping
getfattr: Entferne führenden '/' von absoluten Pfadnamen
# file: usr/bin/ping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= |
(maybe you are interested in "man capabilities" and/or https://wiki.archlinux.org/title/Capabilities ?)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
kimchi_sg
Advocate
Joined: 26 Nov 2004
Posts: 3035
|
| Posted: Tue Aug 27, 2024 12:24 am Post subject: |
|
|
| pietinger wrote: |
These three are already hard activated by the profile - have you activated this too?
| Code: | | sys-devel/gcc-13.3.1_p20240614:13::gentoo USE="... (default-stack-clash-protection) (default-znow) ... (pie) ..." |
|
I don't go to the extent of overriding hard-enabled flags.
| pietinger wrote: |
"xattr" is also absolutely necessary for a hardened system. |
Functionally it makes no difference so I leave it off, security-conscious folks can turn it on again... choice is king.  |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4845
Location: Bavaria
|
| Posted: Tue Aug 27, 2024 1:07 am Post subject: |
|
|
| kimchi_sg wrote: | | pietinger wrote: |
These three are already hard activated by the profile - have you activated this too?
| Code: | | sys-devel/gcc-13.3.1_p20240614:13::gentoo USE="... (default-stack-clash-protection) (default-znow) ... (pie) ..." |
|
I don't go to the extent of overriding hard-enabled flags. |
I may have expressed myself misleadingly: I did not mean to overwrite them, but to ask whether they are activated (which they should be).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
