Mailing List Archive: Sabayon from Arch and systemd

Sabayon from Arch and systemd

Dec 4, 2012, 1:46 PM

Post #1 of 3 (1752 views)

Sabayon has a hardened kernel and emerge as well as binaries.

Is it possible to reduce compilation for hardened gentoo by using
Sabayon and how close to hardened Gentoo could I get.

I am currently using arch and I am happy with the timely package
updates, however I am not happy with the move to systemd and prefer
Gentoo's position of user power to Arches upstream and dev power. This
lack of synergy with myself has surprised me as so many devs list
OpenBSD as a favourite OS. Opera failing to start with mprotect enabled
is also pushing me to migrate sooner with the final push being a panic
today in init just after freeing kernel memory by
CONFIG_GRKERNSEC_KERN_LOCKOUT introduced in either 3.2.33 or 3.2.34.

Do you use stable or unstable sources and so firefox 10 or 17 and which
gets updates first?

Would you say firefox/chromium is usually available to emerge within a
couple of days of release on mozilla.org?

Do you think a migration from arch will have more than a small learning
curve as my available time needs to be kept to a minimum at the
moment?

Thanks, Kc

Re: Sabayon from Arch and systemd [ In reply to ]

blueness at gentoo

Dec 5, 2012, 3:57 AM

Post #2 of 3 (1693 views)

Permalink

On 12/04/2012 04:46 PM, Kevin Chadwick wrote:
> Sabayon has a hardened kernel and emerge as well as binaries.
>
> Is it possible to reduce compilation for hardened gentoo by using
> Sabayon and how close to hardened Gentoo could I get.

Pretty close, and depending on what you want to do, probably good
enough. Sabayon has been adopting hardening of the toolchain and
binaries built with it --- I've given them some advise in this regard.
I don't think they've adopted hardened-sources on their images, but its
there in emerge and they've made noise in that direction.

Having said that, what's the compile issue? It should take just as long
to build the kernel on sabayon as gentoo, all else being the same.

>
> I am currently using arch and I am happy with the timely package
> updates, however I am not happy with the move to systemd and prefer
> Gentoo's position of user power to Arches upstream and dev power. This
> lack of synergy with myself has surprised me as so many devs list
> OpenBSD as a favourite OS. Opera failing to start with mprotect enabled
> is also pushing me to migrate sooner with the final push being a panic
> today in init just after freeing kernel memory by
> CONFIG_GRKERNSEC_KERN_LOCKOUT introduced in either 3.2.33 or 3.2.34.
>

This is a serious problem for lots of people. While some Gentoo devs
did not agree with our fork of systemd, they do agree that they will not
be forced to use systemd and will continue to isolate udev out of it.
Having looked at that code --- I'm one of the forkers --- I ask myself,
how much longer before that isolation becomes a rats' nest.

I'm not sure what "gentoo" is except a group of devs who are brought
together by portage, a package delivery and build system. Other than
that, its pretty much anything. Put and -alt after it and gentoo is there.

Anyhow, you'll always find some devs here who are sympathetic to what
you want to do, and others that will think you're crazy.

> Do you use stable or unstable sources and so firefox 10 or 17 and which
> gets updates first?
>
> Would you say firefox/chromium is usually available to emerge within a
> couple of days of release on mozilla.org?

Get on freenode/#gentoo or #gentoo-chat and ask Anarchy (ie Jory). He
does firefox and mozilla products and he is very sympathetic to hardening.

>
> Do you think a migration from arch will have more than a small learning
> curve as my available time needs to be kept to a minimum at the
> moment?
>
> Thanks, Kc

There with great knowledge comes great freedom! <- okay that was bad!

Gentoo is harder to maintain that arch no doubt. Read the handbook,
read man portage, man emerge and man make.conf and you should be good to
go. The handbook is at

http://www.gentoo.org/doc/en/handbook/

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535

Re: Sabayon from Arch and systemd [ In reply to ]

ma1l1ists at yahoo

Dec 12, 2012, 2:59 PM

Post #3 of 3 (1704 views)

Permalink

On Wed, 05 Dec 2012 06:57:55 -0500
"Anthony G. Basile" <blueness@gentoo.org> wrote:

> >
> > Is it possible to reduce compilation for hardened gentoo by using
> > Sabayon and how close to hardened Gentoo could I get.
>
> Pretty close, and depending on what you want to do, probably good
> enough. Sabayon has been adopting hardening of the toolchain and
> binaries built with it --- I've given them some advise in this
> regard. I don't think they've adopted hardened-sources on their
> images, but its there in emerge and they've made noise in that
> direction.
>

So when you say pretty close, do you mean only if you use emerge and
hardened sources for everything and not Sabayons binary repos atleast
for the time being?

> Having said that, what's the compile issue? It should take just as
> long to build the kernel on sabayon as gentoo, all else being the
> same.

I build a grecurity kernel for arch, sign it, deliver it to a few
machines and update userland. I've found packages like parole, alsa
instead of pulse, abiword, gnome mixer instead of xfce-mixer and opera
(until recently) that work with a fully enabled grsecurity kernel purely
to save time building as I have lots of uses for good machines, don't
believe in build machines running browsers and wish to minimise time
spent updating in any case. OTOH I've heard the major package builds
have binaries on gentoo to save users time so maybe the rest of userland
will be quite quick to build, I have been meaning to find out on a
gentoo test machine. I guess the hardened firefox with JIT disabled
isn't a pre-built?

Sorry for not replying sooner and thanks for the input.