many thanks to our security team for ignoring critical SSP bugs. the answer for me is no.
many thanks to our QA lead for replacing his head with a tomato. the answer for me is still no.

and many thanks to our council for supporting names like vapier and halcy0n (and wolf*lotsofnumbers*, i never knew he was into that kind of business) with their aggressive, destructive and pervasive notions of how people should conform to their fascist little black and white one in the stink two in the pink world. i still think the answer is no.

at least you got all the rotten tomatoes in one boat now and it's slowly sinking.
I'll be happy to leave you here with what you have. There have been no innovations hosted by Gentoo Linux on the security sector of host-based systems hardening for 5 years now. You fight people leaving faster than you can hire noobs to fill redundant positions because you fuckups still keep all your puppets in the right positions to decide what the public opinion is and what the people using Gentoo should "think" about your little /usr/portage experiment there.

well fuck you then, bitches.

whatever.

as always i'll have my last curtain with a song i loved when i was young- and maybe still do.
and now i have to admit- the answer to the above question for Gentoo Linux is definitely yes.

CAKE - The Distance

Reluctantly crouched at the starting line,
Engines pumping and thumping in time.
The green light flashes, the flags go up.
Churning and burning, they yearn for the cup.
They deftly maneuver and muscle for rank,
Fuel burning fast on an empty tank.
Reckless and wild, they pour through the turns.
Their prowess is potent and secretly stearn.
As they speed through the finish, the flags go down.
The fans get up and they get out of town.
The arena is empty except for one man,
Still driving and striving as fast as he can.
The sun has gone down and the moon has come up,
And long ago somebody left with the cup.
But he's driving and striving and hugging the turns.
And thinking of someone for whom he still burns.

He's going the distance.
He's going for speed.
She's all alone
In her time of need.
Because he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse,
He's going the distance.

No trophy, no flowers, no flashbulbs, no wine,
He's haunted by something he cannot define.
Bowel-shaking earthquakes of doubt and remorse,
Assail him, impale him with monster-truck force.
In his mind, he's still driving, still making the grade.
She's hoping in time that her memories will fade.
Cause he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
The sun has gone down and the moon has come up,
And long ago somebody left with the cup.
But he's striving and driving and hugging the turns.
And thinking of someone for whom he still burns.

Cause he's going the distance.
He's going for speed.
She's all alone
In her time of need.
Because he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
He's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
He's going the distance.
He's going for speed.
He's going the distance.

may the source be with you and your guards never fail at entropy.

Alex

PS: the next time you write bullshit about me in profiles/default/linux/package.use.mask, make sure you remove my name so i don't feel offended by your blatant ignorance of the problem itself.

>>> Regenerating /etc/ld.so.cache...
>>> sys-libs/gxslibc-2.6.1-r2 merged.

>>> No packages selected for removal by clean
>>> Auto-cleaning packages...

>>> No outdated packages were found on your system.
* Regenerating GNU info directory index...
* Processed 87 info files.

TMPFS chroot001 miranda ~ # export STATIC="-fstack-protector-all"; gcc-3.4.6 "${STATIC}" -fstack-protector-all -o vuln-stack vuln-stack.c && file vuln-stack && readelf -s vuln-stack | egrep "__guard|__stack_smash"; ./vuln-stack 1234567891234567; einfo "return code: ${?}"; echo; gcc-3.4.6 "${STATIC}" -fstack-protector-all -o ssp_entropy ssp_entropy.c && file ssp_entropy && ./ssp_entropy
vuln-stack: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.18, dynamically linked (uses shared libs), not stripped
2: 08049698 4 OBJECT GLOBAL DEFAULT 23 __guard@GLIBC_2.3.2 (3)
4: 00000000 30 FUNC GLOBAL DEFAULT UND __stack_smash_handler@GLIBC_2.3.2 (3)
78: 08049698 4 OBJECT GLOBAL DEFAULT 23 __guard@@GLIBC_2.3.2
80: 00000000 30 FUNC GLOBAL DEFAULT UND __stack_smash_handler@@GL
* return code: 46

ssp_entropy: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.18, dynamically linked (uses shared libs), not stripped
__guard: [[0x288a2b8c]]

TMPFS chroot001 miranda ~ # export STATIC="-static"; gcc-3.4.6 "${STATIC}" -fstack-protector-all -o vuln-stack vuln-stack.c && file vuln-stack && readelf -s vuln-stack | egrep "__guard|__stack_smash"; ./vuln-stack 1234567891234567; einfo "return code: ${?}"; echo; gcc-3.4.6 "${STATIC}" -fstack-protector-all -o ssp_entropy ssp_entropy.c && file ssp_entropy && ./ssp_entropy
vuln-stack: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.18, statically linked, not stripped
1346: 0804f810 18 FUNC GLOBAL DEFAULT 3 __stack_smash_handler
1554: 080bc370 4 OBJECT GLOBAL DEFAULT 16 __guard
* return code: 46

ssp_entropy: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.18, statically linked, not stripped
__guard: [[0xe686ece4]]

i invented return code 46 as SSP failure because i could not find a list of valid exit codes (unless segfault which is 127) at google.

-Alex


gcc -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c
./ssp_entropy
__guard: [[0x353275b9]]




gcc -static -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c && ./ssp_entropy
__guard: [[0x3687e720]]




TMPFS chroot001 miranda ~ # cat ssp_entropy.c
#include stdio.h

extern unsigned long int __guard;

int main(void) {
printf("__guard: [[0x%x]]\n", __guard);
while(1) { ; }
return(0);
}


for learning about the whole story: http://bugs.gentoo.org/show_bug.cgi?id=182231

have fun and good night!

Phreak helped me to experiment with the virtuals in my new experimental toy profile on miranda chroots. I learned alot about catalyst and finally found out about my mistake that you need to roll up the portage tree (where you have added the created test profiles) into a portage-XXX.tar.bz2 and give this XXX name to the catalyst specs file before building the stages.

Otherwise it cannot find the profile in portage snapshot and print out an erroneous message about your profile being broken, simply because it cannot find it in the portage snapshot that was unpacked.

So, while experimenting with stage building and seeing to it that it works to create a masking of sys-libs/glibc and a virtual/libc mapping to my own testing version of sys-libs/hardened-glibc, for covering my future wanted changes for SSPx and AT_ENTROPY without touching the holy sys-libs/glibc grail of our toolchain team, it suddenly turns into a full fledged uphill battle that is impossible to win.

I am talking about reworking all affected packages in the tree to not depend on sys-devel/gcc any more but on virtual/cc or something like that- because we currently don't have a virtual for gcc. Good job, team.

Short spoken: our toolchain is currently maintained by a single person, happily monolithically aimed at glibc (and a bit of uclibc) and gcc.

Which in turn gives all the power of control over the base system, the standard lib and the compiler into the hands of one or two people without users or other devs being able to plug in or attach another modular approach to it.

Which basically means you don't have another choice but to use the glibc and gcc provided by our distribution. A distribution that was about choice, at least the last time i read it on our homepage.

I still remember the support and the backup of our gcc and glibc hackers when in 2002 and 2003 the hardened toolchain was still a young project compared to the other projects of Gentoo and how we were all working together on a shared vision... all gone.

Today it's about software quality and keeping your hands on your packages which in turn control the behaviour of a complete GNU/Linux distribution.

Thank you very much.

Alex

good book, if you leave aside the obnoxiously evident google-fanboyism

today it's the birthday of Edmund Stoiber and Bushido- lmao

-Alex

Thu Jul 26 15:39:49 CEST 2007

In der griechichen Mythologie, oder war es die lateinische, oder ist das beides das gleiche, trug Atlas die Welt auf dem R

lots of things are happening in my life at the moment.
i found a new job which is great because i am confident that this will bring me through the final year of my bachelors degree without financial problems plus i am forced to spend time with a good friend and the atmosphere there (four developers and one coffee machine) feels like working in a corporate living room.

The only drawback: it's a C# and Visual Studio 2005 job with .NET 3.0.

This stuff feels more professional and pays the rent, a step forward from that silly undermanaged Java project i worked at school for two years- it paid the rent but didn't feel professional

So what about the open source compiler hacks i am contributing, which from a neutral point of view nobody needs to continue maintaining or wants to benefit from anyway- take a look at the gorgeous project management of our all beloved toolchain maintainers and hardened toolchain maintainers and add 1 to 1. What has happened during the last year and what is happening in the next year? In my eyes in the last year nothing useful has happened to the 3.4.x to 4.x transmission shift but we all saw the fruitless try to offload the integration of maintenance, integration and implementation work of the hardened toolchain suite to an overworked baseline toolchain team at Gentoo and that this didn't really benefit the hardened team. Together with a leadership vacuum we're in a master/slave role now waiting for our fellow developers to give way to our glibc/gcc modding stuff finally being visible by the users of our distribution- or have them forced to use a locked up overlay that has no real status or integration with the baseline either. Get your act together. My plans for SSPx are still valid and justified. And PaX userland development is not sleeping, and when it comes knocking at the door, we should have an answer how to make room for it in our hardened project. And you better have a good answer and not "let's see how toolchain devs think about all of this".

Alex