More specifically, Portage. I know use flags and “optimization” are all the hype, but really, would the average user even see a benefit from customizing all their use flags? Especially a benefit that compensates for the constant compilation?
I installed it once to help grow my e-peen, but immediately switched back to Arch after watching my system compile.
Those who daily drive it, do compilation and use flags annoy you, and do you see any real benefit?
Annoy is completely the wrong term. You’re getting to control over what is to be built and what’s not, and since softwares are compiled and optimised according to my hardware, they are lighter and faster with less attack surface.
That may sound cumbersome for a novice to setup the portage configuration but in return it is really worth the time, and it is usually one time, unless you plan to add or remove features. But once you’re satisfied with your configuration, you don’t have to look back at it.
I found YouTubers complaining about going through hour long upgrade on the daily bases very misleading. Only a few core packages can take that long, which are upgraded on a quarterly bases.
Wait did you seriously called it a hype? Before switching to Gentoo, I was using Arch, softwares have better support of eachother and if feature isn’t working you can always talk with the dev how to resolve it. They might even look into modifying the ebuilds to make them compatible.
FYI, I never came across any breakage and I’ve been using Gentoo for about an year now.
you don’t update your system? this is what turned me away from gentoo. i setup my system just the way i wanted but everytime you upgrade you re-compile everything again and again. and some of those updates require some tinkering.
You misunderstood. The configuration is one time. Updates and patches gets configured according to your configuration.
FYI, The updates you get are also pre-compiled by the distro team, and are compiled with generic flag to ensure compatibility.
How would in decrease the attack surface?
You need not only need the application and required libraries, you also need the full tool chain to build it, I don’t see how this doesn’t drastically increase the attack surface.
Because you can compile parts out of many programs and suites; you can also change dependencies, such as never including audio support or MP3 libs for anything. Sure it means no sound but if you’re on a system without speakers then it’s no real loss and you’ve reduced your attack surface.
You still need all the tools need to compile, which you don’t need if you only use binaries. The resulting binary might be smaller, but the overall process is much larger.
Unless you are going to do a security audit on each step of the build process, I don’t see how you are reducing the attack surface.
Most people have some compilation tools installed on a binary based Linux, the tool chain yes would increase the surface too but being able to entirely remove specific parts of the os or say kernel code that is entirely unused reduces your surface. You can’t expoilt code that isn’t there.
Go through this https://www.gentoo.org/support/security/