Re: How secure is an installation with with no non-free packages?
On Thu, Sep 12, 2013 at 11:41 PM, adrelanos wrote:
> How secure is a Debian installation packages installed only from main,
> none from contrib or non-free?
Install and run debsecan on such a system to find out about the known
vulnerabilities. For the unknown ones you have to audit the code
running on your system and the potential code paths. Probably start
with the Linux kernel.
> It will lack for example the firmware-linux-nonfree package and the
> intel-microcode / amd-microcode package. At least the microcode one is
> security relevant? Are there any other packages which might be important
> to have installed for security reasons?
No known issues for these:
https://security-tracker.debian.org/tracker/source-package/intel-microcode
https://security-tracker.debian.org/tracker/source-package/amd-microcode
One issue for the Broadcom BCM4325 and BCM4329 Wi-Fi firmware, not
affected by Debian:
https://security-tracker.debian.org/tracker/source-package/firmware-nonfree
https://security-tracker.debian.org/tracker/CVE-2012-2619
http://bugs.debian.org/694716
> I mean, how secure is it in comparison with those packages installed vs
> not having them installed?
There is no way to judge that objectively since we don't have the code
for them, don't know what the updates do and most of these are for
unknown CPU architectures. Despite that, there has been some work on
microcode reverse engineering:
http://inertiawar.com/microcode/
I guess the rest of the thread covered the philosophical/theoretical
side of things.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: