On 20/02/2014 22:41, Nicolas Sebrecht wrote: > On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote: > >> And this point is one of the highest security benefits in real world: >> one have non-standard binaries, not available in the wild. Most >> exploits will fail on such binaries even if vulnerability is still >> there. > > While excluding few security issues by compiling less code is possible, > believing that "non-standard binaries" (in the sense of "compiled for > with local compilation flags") gives more security is a dangerous dream. >
+1 "non-standard binaries" is really just a special form of security by obscurity. Or alternatively a special form of "no-one will eva figure out my l33t skillz! Mwahahaha!" Which is a very poor stance to take. The total amount of code not compiled by setting some USE flags off is on the whole not likely to be very much, and hoping with finger crossed that the next weakness in a package will just happen to fall within a code path that got left out by USE flags is a fools dream. I'm glad you mentioned this Andrew, because the internets are full of stupid advice like this "non-standard binary" nonsense. Yes, the arguments at face value are difficult to refute with hard facts, but those that do not known it is stupid are easily led into a sense of false security, doesn't matter how many disclaimers are tagged on the end. I reckon it's the duty of all knowledgeable sysadmins to stamp out this crap HARD every time it raises it's head. To the user who brought it up - this might seem overly harsh but I've yet to find a better method that actually works and gets through to people. -- Alan McKinnon alan.mckin...@gmail.com
