Re: Secure OS's
I guess what I mean by a secure os is an os whose packages themselves
are secure, obviously if someone doesn't set up a server securely, it
doesn't matter how secure the packages are. Like wise, if a person
set up a server keeping security as a priority, all their efforts are
for naught if the package is built insecurely, (like the common
I know that debian releases security patches that solve many of these
issues, when the come up. However, this process leads me to believe
that the packages in general are not built with security in mind
(which makes sense because most people programming an editor are
probably not terribly concerned about curious users monkeying around
with their programs too much).
How important of an issue do you guys feel this is and do you think
projects like bastille are important towards this effort? Also, I
do not know of any other debian compatible security packages and
would love to learn more about them.
Whether or not a software application itself is security-minded is
primarily a judgment call about the application's developers, its
security model, and its maturity.
You say, "all their efforts are for naught if the package is built
insecurely, (like the common buffer overflow)". This is usually not the
domain of the distribution or packager.
When 99.9% (eh?) of the development work is done by the upstream
developer, looking elsewhere to make security judgments about the
software would seem to be a mistake.
Just because a software application has been packaged in a distribution
for 6 years, does not mean that it is in any way secure or even "more
secure". It may have a user base of 10 people. That the software is
available as a .deb tells you very little beyond an expectation that it
will be version compatible with the rest of the distribution.
The distribution package - the .deb - is security neutral.
Further, I do not believe there is a 1:1 correspondence between software
which is packaged and software which it is worthwhile to divert people
resources to for development or testing.
Shouldn't development and testing resources be allocated by the upstream
developers and those who fund them?