Re: expanded + clarified "differences from Debian" wiki section
Paul Wise left as an exercise for the reader:
> On Thu, May 9, 2013 at 11:59 AM, nick black wrote:
>
> > systemd has replaced sysvinit.
> This may happen in Debian for jessie, at least for the Linux-based
> architectures.
Wonderful! Indeed, it was the FreeBSD/Hurd issue that seemed the biggest
obstruction. I'll need look into how this is being done. In that case, we'll
have service files to contribute.
> > SELinux and TCP wrappers are not supported. The former almost certainly introduces security problems
> Do you have any specific issues in mind here? If so it would be a good
> idea to get CVEs and patches issued for them.
Nope, no specific issues, more an issue of "security policy ought be
implemented using as few mechanisms as possible."
> > Hardening flags are not considered universally desirable.
> Is the performance difference really that large?
This isn't about performance, though that is a (minor) issue. Much more
problematic is that it's a major source of patches, which we consider
undesirable. Contributing hardening patches upstream to live projects is
great, but we don't want to maintain them against dormant codebases.
> > Patching the upstream sources is strongly frowned upon
> Likewise in Debian, we even codified that in our social contract:
>
> http://www.debian.org/social_contract
>
> We do take a pragmatic approach when upstream is unresponsive or for
> other reasons though.
Yep. I'll add linkage to the Debian policy; thanks for pointing it out!
> > use of --fail-missing or an equivalent is strongly encouraged
>
> It might be interesting to make that the default in a future debhelper
> compat level.
I am personally deeply surprised that this is not already the case,
especially in CDBS.
>
> The advantage of having humans involved here is that they can make
> judgements about the updates.
Absolutely. The disadvantage is that you need the humans.
--
nick black http://www.sprezzatech.com -- unix and hpc consulting
to make an apple pie from scratch, you need first invent a universe.
Reply to: