[SOLVED] Which stage3 should I choose?

Message

viio · Post by **viio** » Tue Mar 17, 2020 5:41 pm

Hi,

I'm completely new to Gentoo and also relatively new to Linux in general.
Currently I'm digging my way through the documentation to familiarize myself with the installation proccess.

The next step is Downloading the stage tarball.

But I'm not exactly sure which "stage3" to pick.
I know that I want amd64 and multilib.

There is hardened and there is minimal.
However, my personal preference would be hardened+minimal...

There is a hardened+minimal, but only as "stage4".
I've found the following in the docs:

they are not intended to replace the usual Handbook-based installation method starting from a minimal installation CD or Gentoo LiveDVD and a stage3 tarball.

So I guess I should stay away from stage4 for now?

My overall goal with Gentoo is, to get a very stable, secure and minimal desktop installation for a laptop.
I don't need a desktop environment but xorg and i3wm. I'll try to stick to terminal applications as much as possible.

Should I go with hardened or minimal stage3?

What would be easier?
- Harden a system with minimal stage3
- Minimalize a system with hardened stage3

duane · Post by **duane** » Tue Mar 17, 2020 7:50 pm

As far as I know, there is no "minimal" stage 3. It's pretty minimal already. So, you should probably use the hardened one. However, it's fairly easy to change to a hardened profile, so you could do that at a later time if you wanted.

Post by **NeddySeagoon** » Tue Mar 17, 2020 8:11 pm

viio,

Welcome to Gentoo.

Are you confusing stage3 and stage4 tarballs, which are not bootable with the minimal ISO, which is just a toolkit to enable you to install Gentoo?
All the stage tarballs are multilib unless the have nomultilib in their names.

-- edit --

The stage3 tarball is those packages that every Gentoo install should have and is a good place to start if you want a minimal install.
There i very little that can be removed.

viio · Post by **viio** » Tue Mar 17, 2020 8:54 pm

duane wrote: As far as I know, there is no "minimal" stage 3. It's pretty minimal already. So, you should probably use the hardened one.

Yes you are right.
The minimal one was also a stage4, sorry for the confusing.

NeddySeagoon wrote: viio,

Welcome to Gentoo.

Thank you!

NeddySeagoon wrote: Are you confusing stage3 and stage4 tarballs, which are not bootable with the minimal ISO, which is just a toolkit to enable you to install Gentoo?

I'm not exactly sure what you mean.
In the installation documentation it is said to use the stage3 tarball.
Then I've seen there is a stage3 tarball and was wondering where's the difference.
So I looked up the wiki and found that page: Stage tarball

If I got this right, I shouldn't use stage4 but stick to stage3.
That's what I did.

NeddySeagoon wrote: All the stage tarballs are multilib unless the have nomultilib in their names.

Yeah, I assumed that.

NeddySeagoon wrote: The stage3 tarball is those packages that every Gentoo install should have and is a good place to start if you want a minimal install.
There i very little that can be removed.

Okay that's essentially what I wanted to know.

I went with the hardened one for now.
I'm doing my first steps in a virtual machine anyway... let's see how it works.

RoGeorge · Post by **RoGeorge** » Tue Mar 17, 2020 9:02 pm

I was confused by hardened versus non-hardened choice, too, especially after noticing the tar.xz of the hardened stage3 is smaller than the minimal stage3.
229.3MB stage3-amd64-20200304T214503Z.tar.xz
212.7MB stage3-amd64-hardened-20200311T214502Z.tar.xz

So, if it's not about size, then why there needs to be yet another version of a minimal stage3?
What are the drawbacks of using the hardened stage3?

Jaglover · Post by **Jaglover** » Tue Mar 17, 2020 9:23 pm

After you install the base system, set up your make.conf and run your first emerge -e everything what came with stage tarball will be replaced with locally built binaries. Why worry about something that is not going to last?

ff11 · Post by **ff11** » Tue Mar 17, 2020 9:35 pm

Well, i only use hardened if i really need it (like when installing servers).
My default is always no-multilib.
I keep telling myself that I can change at any time, but I never needed.
And I don't like to compile packages twice unnecessarily.

ff11 · Post by **ff11** » Tue Mar 17, 2020 9:50 pm

RoGeorge wrote:I was confused by hardened versus non-hardened choice, too, especially after noticing the tar.xz of the hardened stage3 is smaller than the minimal stage3.
229.3MB stage3-amd64-20200304T214503Z.tar.xz
212.7MB stage3-amd64-hardened-20200311T214502Z.tar.xz

So, if it's not about size, then why there needs to be yet another version of a minimal stage3?
What are the drawbacks of using the hardened stage3?

"hardened" is like "max security mode", against other, but against you too (or in your favor, if you are looking for more security). For normal users (non-server machines), security should be pursued by making backups first.
Take one look here: https://wiki.gentoo.org/wiki/Hardened/I ... ned_Gentoo

viio · Post by **viio** » Tue Mar 17, 2020 10:08 pm

Jaglover wrote:After you install the base system, set up your make.conf and run your first emerge -e everything what came with stage tarball will be replaced with locally built binaries.

I went through the whole installation documentation step by step but I was never told to execute "emerge -e".
And somehow "emerge -ep" does not work for me, altough both parameters are valid according to the manpage.

Jaglover wrote: Why worry about something that is not going to last?

So you are going to say that it does not matter if I use hardened or normal stage3?
But then why are there different stage3 files in the first place?
I assume I didn't get what you tried to say.

ff11 · Post by **ff11** » Tue Mar 17, 2020 10:25 pm

viio wrote:
Jaglover wrote:After you install the base system, set up your make.conf and run your first emerge -e everything what came with stage tarball will be replaced with locally built binaries.
I went through the whole installation documentation step by step but I was never told to execute "emerge -e".
And somehow "emerge -ep" does not work for me, altough both parameters are valid according to the manpage.

Jaglover wrote: Why worry about something that is not going to last?
So you are going to say that it does not matter if I use hardened or normal stage3?
But then why are there different stage3 files in the first place?
I assume I didn't get what you tried to say.

Don't worry about this now. The full command should be like:

Code: Select all

# emerge -ep @world

The "-e" option will rebuild everything (don't worry, "-p" don't allow that).

About the use of hardened or normal stage3, don't worry too. You can change anytime.

And for these that want to take your stress out , here the adult coloring book about selinux by redhat: https://people.redhat.com/duffy/selinux ... tapled.pdf

RoGeorge · Post by **RoGeorge** » Tue Mar 17, 2020 10:55 pm

ff11 wrote:Take one look here: https://wiki.gentoo.org/wiki/Hardened/I ... ned_Gentoo

That answered all my questions about why a non-hardened version still exists, thank you.
To summarize, the hardened features comes at the cost of some execution overhead, especially when the CPU lacks the hardware mechanisms (e.g. x86 does not have the required hardware to implement the pageexec mechanism, so on x86 PaX emulates this behavior at a software level).

Answered this question, too

viio wrote:why are there different stage3 files in the first place?

Because they are unrelated and independent projects, one for the normal Gentoo, the other one for the hardened Gentoo

https://wiki.gentoo.org/wiki/Hardened/Introduction_to_Hardened_Gentoo wrote:Hardened Gentoo is not a product or solution in itself, it is merely a project with a group of developers all working toward the same goal of very proactive security. The sub-projects contained in Hardened Gentoo are not related in any more way than they are hosted within the same project. You might think of it as the same way KDE and GNOME are both part of the desktop project, and both have a common goal, but are otherwise unrelated to each other.

ff11 · Post by **ff11** » Tue Mar 17, 2020 11:03 pm

RoGeorge,

You got the ideia.

There is also the possibility of using one normal profile, and put your services inside containers. Here more two coloring books:
* Container (because "Who's afraid of the big bad wolf?"): https://raw.githubusercontent.com/fedor ... dy/Web.pdf
* Container Commandos (the super-heroes that can save you): https://docs.fedoraproject.org/en-US/fe ... mandos.pdf

Jaglover · Post by **Jaglover** » Tue Mar 17, 2020 11:23 pm

I went through the whole installation documentation step by step but I was never told to execute "emerge -e".

Gentoo is DIY Linux and Handbook is just the reference to get your first steps right. Rest is up to you, most users think it is a good idea to rebuild your new system with your CFLAGS and USE flags ASAP. But you don't have to do it, it is your Linux after all, built with tools provided by Gentoo.