I'm aware of Qubes. But as long as it is based on rpms, I won't make the time investment necessary for studying it. It would be good if Joanna would realize, that a source based rolling distro is easier to handle for their purposes. I haven't aware this was addressed on the mailing list. BTW Laszlo Zrubecz is a Hungarian guy. But I don't know him.
Handling the firefox situation at the ebuild level is pretty simple, since we have pax-marking available now for use. The real solution would be to teach upstream about security and proper memory handling. As it was mentioned by paxteam and others as well. Like it is not just erroneous from the security point of view, but the whole concept of fixed address mmap is not correct. It would be good not to think about disposable VMs because of security-blind applications. I still haven't give it up. I hope 2012 will be better! :-) Happy New year: Dw. (Central European Timezone) -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 2012.Január 1.(V) 01:39 időpontban 7v5w7go9ub0o ezt írta: > On 12/31/11 08:43, "T?th Attila" wrote: >> Isn't it miserable to see, that as time is passing by, more and more >> important softwares (java, python, libreoffice, firefox) conflict >> with more and more PAX restrictions? I would expect exactly the >> opposite. But it seems, that developers become less and less aware >> (or care less) about security. >> >> Nowdays I would rather run libreoffice and firefox in a jail. But I >> have no time to set up an environment and grsec policy for it. > > Heh...better yet; using VMs - with optional hardware assistance. > > Joanna Rutkowska of <http://theinvisiblethings.blogspot.com/> , who is > well-known as an effective white-hat cracker, is developing a "secure" > OS she calls Qubes <http://qubes-os.org/Home.html> > > She's presently using fedora as the Linux source distribution, but > there's been a lot of enthusiastic discussion among some of the beta > testers about changing to Gentoo > <https://groups.google.com/group/qubes-devel/browse_thread/thread/588399cdd43da28c#> > and some of these guys seem poised to go for it. > > Should the switch occur, one would painlessly have hardened Gentoo VMs, > managed by a XEN bare-metal hypervisor. > > In the case of Firefox 9.0 (actually, now Firefox 9.0.1), one could > safely continue with Firefox 8.0 in temporary ("disposable") VMs 'til > the Gentoo developers (who are volunteers, generously donating personal > time) get a chance to address the issue. > > > > >
