On Thu, 20 Feb 2014 11:29:52 +0100 Nicolas Sebrecht wrote: > The 20/02/14, Nilesh Govindrajan wrote: > > > Gentoo makes the best server os because it's a custom built os where the > > admin knows each and every aspect of the os. Security wise, there are no > > unwanted or unused stuff, so lesser bugs to deal with. > > While I agree with the "less code is less bug" argument, I disagree with > your point. > > Tuning softwares mean that the binaries compiled on a machine are less > used in the wild (other Gentoo systems have other hardware, enabled use > flags, etc). Hence, the binaries executed on you local server are likely > much less tested by others.
And this point is one of the highest security benefits in real world: one have non-standard binaries, not available in the wild. Most exploits will fail on such binaries even if vulnerability is still there. This will cut-off most off automatic botnet attacks even without additional security measures like hardened setup, PaX or GRSecurity (yeah, I never trusted SELinux because of its main author: sane agency will never release a security tool which can be a hinder to this agency). Of course, if system is specifically targeted by qualified professionals, this will only hinder their approach, but binary based distributions will not provide any advantage here either. Best regards, Andrew Savchenko
pgpdyWR4NlZ8L.pgp
Description: PGP signature
