On 05/15/10 11:25, Alex Efros wrote: [] > > Hmm. So, what is recommended way to run reliable and secure server > and/or workstation today? > > - use stable x86 kernel from main portage, which is outdated .28 > without support from PaX/GrSec team? - use development kernel from > anarchy overlay, which is up-to-date (now, but doesn't guaranteed to > be always up-to-date, I think), and which is ... hmm ... > development/unstable? - use latests stable x86 vanilla-sources and > manually apply PaX/GrSec patches? - use latests stable x86 > gentoo-sources (which is expected to be better than vanilla) and > manually apply PaX/GrSec patches (which isn't guaranteed to apply at > all to gentoo-sources)? >
That seems to sum it up. And when I advise folks on how much I like gentoo hardened, and what great work the hardened team is doing, it can be a little awkward referring them to: "Anarchy overlay"; "gentoo-hardened at freenode"; and of course the "bible": <http://forums.gentoo.org/viewtopic-t-705939.html > What IMHO should be the single starting point is: <http://www.gentoo.org/proj/en/hardened/> (The "last revised" date on this starting point is missing; the pages to which it refers seem to be all 3-5 years old.) I'm guessing that the hardened team is working to bring their efforts up to standard, before officially updating the official gentoo hardened page with appropriate links. Wrong policy, IMHO. In the interim, 'twould be nice - the good work of the hardened herd should be moved into the Gentoo documentation structure, and noted as "developmental, but deployed widely and successfully". - the anarchy overlay should either be brought into portage core, or at least renamed (e.g. "hardened" overlay) and documented in the official Gentoo hardened pages. I fear that folks looking for a hardened OS are passing Gentoo by, because of the present situation.
