User: Password:
Subscribe / Log in / New account

Minimizing packages

Minimizing packages

Posted Jun 26, 2007 4:01 UTC (Tue) by njs (guest, #40338)
In reply to: Minimizing packages by flewellyn
Parent article: Counting vulnerabilities

I know, but that's not very relevant to what I'm talking about. The issue I'm pointing out is that your particular set of programs each compiled with your particular quirky set of USE flags might have some novel security bug that no-one else noticed. Code that lots of people use tends to be well tested and highly scrutinized; weird and rarely used #ifdef'ed code tends to be just the opposite. This thread is advocating using more of the latter sort of code, and thus might actually increase security exposure. Running that same rarely used code across 10 boxes instead of 1 won't affect how much scrutiny it gets, you need lots of people in lots of different situations to get that.

It's hard to know whether this extra risk is important or just theoretical, though, hence my curiosity about quantifying it...

(Log in to post comments)

Minimizing packages

Posted Jun 26, 2007 8:21 UTC (Tue) by flewellyn (subscriber, #5047) [Link]

I can see how that might theoretically be a problem, but in all honesty, the set of USE flags for a
particular package doesn't have that much crazy variation.

In general, the USE flags tend to correspond to features that can be added or removed via
arguments to ./configure, so the number of variants for any particular package is no larger using
Gentoo than it would be using source-compiled packages that you did the ./configure; make;
make install dance on yourself.

Setting weird compiler optimization flags in the global make.conf, now, there I can see a source
of issues. Of course, so could the Gentoo developers, which is why the docs say not to do that.

Minimizing packages

Posted Jun 28, 2007 16:21 UTC (Thu) by jzbiciak (subscriber, #5246) [Link]

The point is that distro binaries very, very, very seldomly get rebuilt by the distro's users for most other distros. So, if one RHEL4 box is vulnerable in package XYZ due to how package XYZ was configured for RHEL4, then pretty much all RHEL4 users that have that package installed will have that vulnerability on their system.

In contrast, if the same package is available on Gentoo, and it's only vulnerable if you configure XYZ to make use of some other package PDQ, then only Gentoo users who have configured XYZ to use PDQ will be vulnerable. The same goes if you build a bunch of packages from source on any other distro, but only for those packages.

That's the distinction that's being drawn.

The flipside is that there might be some unforseen interaction between packages that a particular Gentoo configuration might expose and that other configurations won't. Since any given configuration will get less scrutiny, there's a higher chance of a given Gentoo box being vulnerable *on the basis of scrutiny alone*. The reality is that that's mostly theoretical, and in general removing features tends to (but does not always) remove vulnerabilities.

Minimizing packages

Posted Jun 27, 2007 7:47 UTC (Wed) by HenrikH (subscriber, #31152) [Link]

You are correct in that USE flags would yield a possibility that one runs programs with unknown holes in them, but then the attacker must also be aware of these unknown holes and also know that you compiled your packages with that very specific USE flags.

Not that it gives a warm and fuzzy feeling, but it would still be some uphill for a potential attacker. And more importantly is that thanks to the wide spread of USE flags a lot of previously unknown bugs will be reported (and hopefully fixed) due to the great variety of the users.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds