Re: Debian derivatives census: Parrot Security: welcome!
On June 3, 2016 4:37:25 PM GMT+02:00, Paul Wise <pabs@debian.org> wrote:
>Hi Lorenzo,
>
>I would like to welcome yourself and Parrot Security to the Debian
>derivatives census! Would you like to take this opportunity to
>introduce yourself and Parrot Security to us all?
>
>https://wiki.debian.org/Derivatives/Census/ParrotSecurity
Hi Paul, i was invited here time ago but ipve never had the time to add our page (it was easier than expected).
As stated by our census page, Parrot is a debian testing derivative focused on security, digital forensics, development and privacy, and it uses a full copy of the debian mirror plus some changes and new packages.
>You don't appear to be subscribed to the Parrot Security census page,
i'll subscribe as soon as possible, i'm new to the debian wiki
>I've made a few changes to the Parrot Security census page:
>
>https://wiki.debian.org/Derivatives/Census/ParrotSecurity?action=info
>
>The page says that Parrot Security modifies Debian binary packages. It
>is quite rare that distributions modify Debian binary packages instead
>of modifying source packages and rebuilding them. Does Parrot Security
>actually do this? If so could you describe what kind of modifications
>you are making? If not I guess the page needs to be fixed.
We used in the past to make little changes to some debian binary packages to perform minor fixes without recompiling everything, but now we do every change respecting the debian standards and recompiling our packages from sources, infact you're right and the page needs to be fixed
An example of binary modification we did in the past (just for the records) was to add our custom theme to geany-common, then we edited all the other geany packages to require the correct version of geany-common without cross-compile them for every architecture, but now we do everything from source.
>Some of the Release files in the apt repository for Parrot Security are
>missing the Valid-Until header, which allows clients to find out when
>active network attackers are holding back newer Release files. At
>minimum, rolling releases and suites containing security updates should
>have this header. With reprepro you can use the ValidFor config option.
>
>https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until
Never seen it in the several reprepro examples, but i'll add it as soon as possible.
>The page is missing a dpkg vendor field. It is important that Debian
>derivatives set this properly on installed systems and mention the
>value of the field in the derivatives census.
>
>https://wiki.debian.org/Derivatives/Guidelines#Vendor
I've already contacted the responsible of this package to add the vendor field, thanks for the tip.
>There doesn't appear to be a Parrot Security blog or a blog aggregator
>for Parrot Security developers. If these existed they would be
>syndicated on Planet Debian derivatives and would help the Debian
>community find out the things that are happening in Parrot Security.
>If your Facebook page were public we could use that.
Our (little) developers community has never had this need, but it is a good idea to have one, i'll try to discuss it with my team.
>Since Parrot Security is based in Italy, you might be interested in
>joining the Debianizzati or Bologna groups:
>
>https://wiki.debian.org/LocalGroups#Italy
Of course i am, i'll be happy to join these groups.
>This year the annual Debian conference is in Cape Town, South Africa.
>It would be great if developers from Parrot Security could attend
>DebConf. Unfortunately it is very very close to the event. If this
>isn't possible, next year DebConf will be in Montreal, Canada.
>
>http://debconf16.debconf.org/
Not this year (lack of funds and time), let's try the next time.
>I note that Parrot Security is based on Debian testing. A great way to
>help ensure that Debian is working well for you is to install and run
>the how-can-i-help tool and try to work on any issues that come up.
>
>http://www.lucas-nussbaum.net/blog/?p=837
>https://packages.debian.org/unstable/how-can-i-help
>https://wiki.debian.org/how-can-i-help
We encountered some errors during our development path, but we thought they were caused by our patches and modifications, but we are always happy to open bug reports or contact involved package maintainers when we are sure that the problem is not on our side, but i'll try how-can-i-help.
>I note there are several another security, penetration testing and
>privacy related Debian derivatives, have you considered collaborating
>or merging with them? There are also Debian teams for forensics and
>security related tools:
>
>https://alioth.debian.org/projects/pkg-security
>https://wiki.debian.org/Teams/DebianForensics
>
>https://wiki.debian.org/Derivatives/Census/CyborgLinux
>https://wiki.debian.org/Derivatives/Census/Kali
>https://wiki.debian.org/Derivatives/Census/Matriux
>https://wiki.debian.org/Derivatives/Census/Tails
>https://wiki.debian.org/Derivatives/Census/Whonix
We are in strict collaboration with Caine (based on ubuntu) for what concerns the digital forensics environment, while we imported many debianized tools from kali where we thought it was useless to re-invent the wheel, focusing only on what we want to do in our own way, but we would be happy to make our relationship with kali more official (and contribute back where possible), and also a collaboration with tails and whonix would be interesting for what concerns our development of anonsurf and other similar tools
>I note that Parrot Security uses several desktops, I would encourage
>you to provide feedback and fixes to the Debian teams.
>
>https://wiki.debian.org/Teams/pkg-mate
>https://pkg-kde.alioth.debian.org/
>https://wiki.debian.org/Teams/LXQtPackagingTeam
Our main DE is mate, and we provide a tiny derivative project which uses lxde, but many users have experimented kde and i3 too, i'll try to get a feedback from our community and see what changes should be useful to be imported on debian too.
>Please consider disabling the CloudFlare Captcha for Tor users.
We recently put our cloudflare firewall in aggressive mode due to some recent attacks, but it we aregoing to restore it within monday, some members of the team have also proposed to make our website available as a tor hidden service and make our repository abailable on tor too, but it is still in progress.
>You might want to consider adding DNSSEC and TLSA records to your
>domains. SSL on the repository will help Parrot Security users to
>obscure package names and version numbers from global active
>adversaries. You might also want to add HSTS headers.
We have already added the dnssec and hsts options, i'll check why they are not enabled, thanks for having reported that.
>Please feel free to circulate this mail within the Parrot Security
>team.
----
Lorenzo "Palinuro" Faletra (EclipseSpark)
Frozenbox Network
Parrot Security
GPG ID: F4C6B9A4
GPG Info: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x97CAA129F4C6B9A4
GPG Key: http://pgp.mit.edu/pks/lookup?op=get&search=0x97CAA129F4C6B9A4
Reply to: