• Burger@burggit.moeOP
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      1 year ago

      Funny story. Before hosting this site, I used to run my server infra on nothing but Gentoo VMs. It was very neat but ultimately I ended up switching away from it because keeping each VM up to date proved to be a pain even with a designated “compile server VM” which would distribute the compiled binaries to the VMs that were configured for it.

      If you want the top most security in Linux land, Gentoo is what you want. With everything compiled for your CPU’s microarchitecture, the memory addresses for which to trigger exploits such as stack smashing will be different so a skiddie cannot run their exploit kit on you.

      • Burger@burggit.moeOP
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        1 year ago

        Now if you had your choice on a Unix or Unix-like system, I’d go with this if you want something absolutely impenetrable:

        • Burger@burggit.moeOP
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          From my uneducated opinion, yes and no. Kernel ASLR (Address Space Layout Randomization) is a thing, same with PiE (Position independent Executables) the former can be turned on but the latter, you have to compile your software with those flags. PiE offers stack smashing protection. Some distros do not ship this but the list is growing shorter by the day.

          Gentoo allows you to use USE flags which instruct Portage (Gentoo’s package manager) to fetch the libraries required to compile the feature you specified. In short, USE flags basically tell the package what features you want. You can compile your software to be as nimble as possible. Less code means less attack surface that attackers can exploit. On Gentoo even the toolchain you use to compile software is compiled in of itself when you run emerge world.