Re: Security features in Debian 8 (Jessie)

To: "oliver.schmid.94@t-online.de" <oliver.schmid.94@t-online.de>
Cc: debian-www@lists.debian.org
Subject: Re: Security features in Debian 8 (Jessie)
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Fri, 1 May 2015 01:48:12 +0200
Message-id: <[🔎] 20150430234812.GB32561@javifsp.no-ip.org>
Mail-followup-to: "oliver.schmid.94@t-online.de" <oliver.schmid.94@t-online.de>, debian-www@lists.debian.org
In-reply-to: <[🔎] 1931912913553e72a2d92855.56508225@email.t-online.de>
References: <[🔎] CAB9B7UsXCor=ti0uGc=am4MgjThqXE7QHQY=CBn5PpveoZu0Fg@mail.gmail.com> <[🔎] 1931912913553e72a2d92855.56508225@email.t-online.de>

On Mon, Apr 27, 2015 at 07:32:18PM +0200, oliver.schmid.94@t-online.de wrote:
> 	You wrote that these hardening flags are individual for all packages.
> So is it possible to see which packages have which build flags
> enabled? (via the new package tracker or the package search). 

In https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags you will
find pointers to the list of packages have these features enabled. These are
maintained by the team driving the process and they list those that are
fixed, partially fixed and being workd on or checked:

Packages of priority important or higher:
http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-important.txt?view=co

Network-accesible daemons:
http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-daemons.txt?view=co

Interpreters:
http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-interpreters.txt?view=co

Packages with a DSA since 2006:
http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-dsa.txt?view=co

You also have some statistics here:
http://outflux.net/debian/hardening/

> 	It's not practicable to install each package and test it with a
> script or look in the build file. 

No need to do that, the script used for the statistics uses a local mirror to
obtain the information. 

> 	And for the kernel hardening: -fstack-protector and runtime memory
> allocation validation  are not exactly described in the
> https://wiki.debian.org/Hardening [1] page. 

The Wiki just has references to these features. The description of those
exact security features should be found elsewhere (in the Linux kernel
documentation)

> 	I'd like to express with the wiki page (the Security Features Matrix)
> that it would be nice to see all information at one point. Probably it
> would be good to include such a Matrix in the official documentation
> or the release notes. I know that the Debian project is working
> heavily on security, but the documentation of this process is not very
> good. 

Yes, the documentation can be improved but, unfortunately, just "wishing" it
to be done is not going to get it done. We are, after all, a volunteer
organisation. People are working on a lot of things and some others can get,
from time to time, neglected.

Unfortunately, documentation is sometimes neglected. But I encourage you to
help in the documentation, if you so desire, the process is open to anybody
with a willingness to improve it.

Best regards

Javier

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: Security features in Debian 8 (Jessie)
  - From: Javier Fernandez-Sanguino <jfs@debian.org>
- Re: Security features in Debian 8 (Jessie)
  - From: "oliver.schmid.94@t-online.de" <oliver.schmid.94@t-online.de>

Prev by Date: Bug#783670: www.debian.org: Update w.d.o/misc/children-distros web page
Previous by thread: Re: Security features in Debian 8 (Jessie)
Next by thread: Request for CD
Index(es):
- Date
- Thread