I guess I did it.
Appearently I installed Gentoo on my machine. It's fine for what it is, most annoyances I had where during the install due to my linux-unfriendly hardware [1]. What hardware I use you can see in the screenshot, but if you are to lazy to zoom in, it's a Ryzen 5 1600 and a GTX 970 with 16GB of RAM. Sounds good right? Ye, it is and it is the first machine I installed Gentoo on where it didn't needed ages to compile everything. Don't get me wrong, I sat there a whole day, but in comparison to a Core 2 Duo of my old Thinkpad T61, it's a day and night difference.
My make.conf
is not too full, it does everything I need and a tiny
bit more, but is pretty small nonethless. The only two useflags worth talking
about are hardened
and -telemetry
. The former
enchances security in the toolchain, as the gentoo sites says and the latter
one make so that packages do not include telemetry. [2]
I am planing on routing all my traffic through tor. As of now most of my traffic is already going through Tor, but it's all done manually and seperatly, but nothing system-wide. I am on doing that. I will first try that on my other machine, if that works I will aim to do that on my main machine too. Here are some guides I found on doing that:
To avoid more hassle than needed I just followed the AMD64 handbook and did not install any full disk encryption LUKS and LVM. Now, I regret it. Now, I have basically two options: installing something like Veracrypt or booting into a live CD and installing the encryption with dm-crypt manually. The latter one sounds honestly like I am losing all my data plus some unneeded kernel panics (I have to change some stuff in the kernel to do so) as well. The former is probably easier, but it feels less secure. So, I don't know. Currently I do not have time for either one of the two, but when I get permanently home again, I will consider getting some disk encryption like all the cool kids have it nowadays.
Eh, I wanted to include another post from nanochan here on how to secure the bootloader, but it's not available now, so maybe next weekend I will write more about this
This might be one of the points where OpenBSD is far supeior by default, but on this computer I am running right now I have no choice but to run GNU/Linux (if I want a free as in freedom operating system). Back in the day I ran Whonix virtual machines, which I used exclusively for all internet- related stuff. The problem with this setup is, and the reason why I do not use it anymore is, it's bloated, very bloated. Virtualbox, Whonix, all the stuff Whonix brings with it and the kernel modules needed to run it, all of it, is just very big, bloated and a huge security risk. It doesn't matter how private and anonymous my network traffic is if there are thousand and one ways to compromise my system.
The best tools for this purpose I are probably AppArmour and Firejail, both have very low overhead and are pretty minimalist, while achieving what I need. I'll keep you up to date on that.
Sometimes the system stalls for no reason and doesn't react at all if you use it for a fairly long amount of time, but that's the only complain I have and when I have time and at least a bit of clue where it comes from and why it behaves the way it does, I will fix it. UPDATE: Appearently it' some stuff with the video drivers, I do not have the motivation to further look into it, but at least I know what it is.
The -telemetry
useflag is more or less useless if you are not using KDE, as
most packages, of which there are little, are KDE packages. I didn't knew that when writing
this and I certainly didn't knew that when I included (or rather excluded) that useflag in
my config.
you can learn more about the useflag here