Qubes OS or Hardened Gentoo? Are there any other alternatives worth considering?

Qubes OS or Hardened Gentoo? Are there any other alternatives worth considering?

Other urls found in this thread:

bugs.gentoo.org/show_bug.cgi?id=430702
bugs.gentoo.org/show_bug.cgi?id=561854
archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff
github.com/dapperlinux/dapper-secure-kernel-patchset
github.com/dapperlinux/dapper-secure-kernel-patchset-stable
twitter.com/NSFWRedditVideo

Hardened only accepting free licence and hardened-extra deblob use flags for max security with pam.

what is pam?

Pluggable authentication modules. There is also RBAC.

Wait, why not Gentoo in Qubes?

...

cuck-license openBS"Suck On Theo De Raadt's" D

(when VM's actually work)
why not Qubes inside Qubes inside Qubes

Gentoo Hardened but sadly grsec is ded and hardened-sources is going to be removed

Alpine.

Alpine seems interesting but it's not dedicated to security in that manner.

Couldn't they just stick with the 4.9 kernel, at least until support ends in a year and a half?

Well, using musl and libressl already puts it above Gentoo.
Wait for these:
bugs.gentoo.org/show_bug.cgi?id=430702
bugs.gentoo.org/show_bug.cgi?id=561854

Thank you, will definitely check it out. Why isn't everything statically linked?

Here is an official answer from Gentoo Hardened team.
archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff

You can try to do it yourself there also is minipli repo but that seems to be stuck at 4.9.33 and there is dapperlinux guy which is trying to forward port the 4.9.24 patches to newest kernels : github.com/dapperlinux/dapper-secure-kernel-patchset

Also has newest 4.9.X LTS here github.com/dapperlinux/dapper-secure-kernel-patchset-stable

LibreSSL and musl already works in Gentoo, using LibreSSL myself at the moment.

systemd for su

Am I missing something? He said his patch is a forward port of the public 4.9 grsec patch, but then he said that his patch "will not match the advancements made by Open Source Security Inc on the Grsecurity patchset." I thought the public grsec patch had all the features of the subscriber patch, with the exception of return address protection, which it has a gimped version of. Is that what he's referring to when he said that his patch won't have all of grsec's features? Or are there some features besides RAP which just aren't included in the 4.9 patch?

What to do if you already have hardened gentoo installed now that grsec is kill?

It will have everything the last public patch has, but grsecurity private patch will have newer features eventually and they deliver support so if you need better security and support you should get a license from them.

Oh. I was just worried that some features might have been removed from the public patch (besides full RAP).

On that topic, exactly how gimped is the public version of RAP? I know it is only applied to the kernel in the free patch, so userland applications are unprotected, but how complete is its coverage of the kernel? IIRC the free patch contains the deterministic-but-imprecise part of RAP (control flow integrity), but does not include the precise-but-probabilistic protection (return address cookies). If that's the case, it would seem like even the free version of RAP provides decent protection against code reuse exploits. Is that correct?

Because that's a retarded idea. Suckless and cat-v aren't always right unlike Holla Forums.

What other linux distro should I use for a libre kernel with a similar harden sources that is source based? Source Mage, LFS?

Static linking is tremendous. Never need to deal with dependencies, much less bloat, many advantages.

Package managers do that for you.
Are you retarded? The entire point of share libraries is HDD and memory deduplication.
Like having to recompile everything when zlib or libpng update or to be vulnerable as fuck?

most of them suck

This, what do?

bsd tbh desu

I'd rather get pozzed with a Linux 0-day.

I've_only_used_apt_in_my_whole_life.tga
>

never used it. only used pacman and apk
just dont install it bro

My only objection is the licence, I won'thé be contributing to it. Also, it isn't source based by default.
Is it possible to have hardened gentoo as a spinoff distro? Can grsec be forked and developers just work on the forked source? I don't see the need to change distros, only to change mirrors for a updated hardened kernel.

Yes, Debian stable main (without contrib and without non-free) and OpenSUSE stable (without contrib and without non-free).

Unlike other "maintained by a single person" or derivative distros, these do have a dedicated security team, and get critical updates much faster.

Using Gentoo is pointless for desktop system (you mentioned Qubes, so I guess you would use a desktop)

libpng and zlib don't change much and has been used for a long time and analysed by many. I guarantee you the average rust library has more vulnerabilitys than those.