this post was submitted on 05 Jul 2023
30 points (100.0% liked)
Loli Memes and Talk
2 readers
1 users here now
For memes and discussion pertaining loli.
Rules (in progress):
- No pornography, but if it's NSFW then click the NSFW button.
- Posts should be either a meme or text post.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Funny story. Before hosting this site, I used to run my server infra on nothing but Gentoo VMs. It was very neat but ultimately I ended up switching away from it because keeping each VM up to date proved to be a pain even with a designated "compile server VM" which would distribute the compiled binaries to the VMs that were configured for it.
If you want the top most security in Linux land, Gentoo is what you want. With everything compiled for your CPU's microarchitecture, the memory addresses for which to trigger exploits such as stack smashing will be different so a skiddie cannot run their exploit kit on you.
would it be possible to do the same with another distro, with proper configutation?
From my uneducated opinion, yes and no. Kernel ASLR (Address Space Layout Randomization) is a thing, same with PiE (Position independent Executables) the former can be turned on but the latter, you have to compile your software with those flags. PiE offers stack smashing protection. Some distros do not ship this but the list is growing shorter by the day.
Gentoo allows you to use USE flags which instruct Portage (Gentoo's package manager) to fetch the libraries required to compile the feature you specified. In short, USE flags basically tell the package what features you want. You can compile your software to be as nimble as possible. Less code means less attack surface that attackers can exploit. On Gentoo even the toolchain you use to compile software is compiled in of itself when you run emerge world.