Re: Why Linux, Why Debian

To: debian-devel@lists.debian.org
Subject: Re: Why Linux, Why Debian
From: Matt Zimmerman <mdz@debian.org>
Date: Fri, 13 Feb 2004 09:52:01 -0800
Message-id: <[🔎] 20040213175201.GE12277@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20040213161212.GA20601@dat.etsit.upm.es>
References: <[🔎] 87d68jc2th.fsf@glaurung.internal.golden-gryphon.com> <[🔎] 20040213112459.GB1852@suffields.me.uk> <[🔎] 20040213161212.GA20601@dat.etsit.upm.es>

On Fri, Feb 13, 2004 at 05:12:12PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:

> On Fri, Feb 13, 2004 at 11:24:59AM +0000, Andrew Suffield wrote:
> > I think that regular Debian equals or beats the exact claims made as to
> > openbsd's "security" (which aren't much - just regarding holes in the
> > default install that can lead to a remote root compromise). Note that
> > this mostly says "We have a default install that doesn't do anything,
> > too".
> 
> Umm.. it's really a default install with no network services, which is
> usually quite ok for most users. Our "default" general install is much
> more bloated. Our priorities have improved from release to release but, in
> the eternal struggle of what's default, we have chosen usability vs.
> security.  OpenBSD has chosen the former.

If by our "default" install you mean Priority: standard, then I do not agree
that this is quite ok for much of anybody.  It's too much for a minimal
system like a router, and too little for a desktop or server which needs to
get work done.

> > In terms of real-world security there appears to be no difference
> > between Debian and openbsd at this time. SELinux would be significantly
> > better, but Debian can hardly claim to support that at present.
> 
> I disagree on the differences: W^X and protection against stack overflows
> (ProPolice), introduced in 3.3 [1] make a significant difference IMHO,
> Debian kernels or user-level programs do not provide any kind of
> protection against buffer/stack overflows currently [2]. 

Andrew was talking about real-world security, not protection for
hypothetical vulnerabilities.  Even so, I disagree with him, in that the
frequency of local root vulnerabilities published in the Linux kernel since,
say, the Woody release, is abhorrent.  The Linux kernel is a component of
practically every Debian system in existence, so it should meet any
definition of "default install".

> Also, the user-space has been audited, something we cannot say we have done
> ourselves. [3]

Neither Debian nor OpenBSD has audited all of the user-space programs that
they ship.  Which part of user-space are you referring to?

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Why Linux, Why Debian
  - From: Andrew Suffield <asuffield@debian.org>

References:
- Why Linux, Why Debian
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Why Linux, Why Debian
  - From: Andrew Suffield <asuffield@debian.org>
- Re: Why Linux, Why Debian
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: Why Linux, Why Debian
Next by Date: Re: Why Linux, Why Debian
Previous by thread: Re: Why Linux, Why Debian
Next by thread: Re: Why Linux, Why Debian
Index(es):
- Date
- Thread