Re: Two questions about task-harden.
Ok
I'll try to summarize what you have said:
* Well I did not intend to start a flamewar. Did not think of that.
And thank you for not starting one. :)
* Yes I should rename task-harden to harden. Good I'll do that. :)
* Sendmail have a history of security problems and there is a quite
late report. But it have changed a lot and conflicting with it might
not be right to do.
Too bad that there is no Recommends-against but maybe it is better
to do some postinst removal like the ppp and pcmcia removal at install-
time. It is a good Idea. :)
But how do I do that practicly. I should ask in the configure script
and then remove in postinst, but how? Can I really run dpkg, is that
not locked when running apt?
* So I'll try to make a Recommends-against using postinst and debconf
with information about why to remove things...
* One more thing:
I intend to write (and maybe split out the harden-localflaws and
harden-remoteflaws to a new package) that on build time (or maybe
other time?) download, parse and create conflict (and maybe postinst
advisory?) rules on the fly. Do you know of a place with good information
that is easy to parse for this? This package should then be maintained
by qa (and I'll join the qa-group :) ) so that for each security
advisory this package should be updated. This way I think lot of
testing-users should get better systems. But my intention is to use
as many sources as possible and automate this in a nice way (with
possiblity to manually check and fix things).
If someone already have done this I'll be very happy but I have not
heared of it yet. Yes I know that security.debian.org exists but I also
want to have this usable for unstable and testing users. Well that
is the goal anyway. :)
Regards,
// Ola
On Thu, Aug 23, 2001 at 06:01:53PM -0400, Brian Sniffen wrote:
> Noah Meyerhans <noahm@debian.org> writes:
>
> > On Thu, Aug 23, 2001 at 09:14:31PM +0200, Ola Lundqvist wrote:
> > > The second questions is if I should conflict with sendmail. I got
> >> a bugreport some days ago that was complaining about just that.
> >> In my opinion there is no good reason for not conflicting with
> >> sendmail but I want to know what you think. Is it possible to make
> >> a secure server with sendmail?
> >
> > I don't like the idea of conflicting with sendmail. A hardened machine
> > should still be useful. It's too bad there's no "Recommends-Against"
> > dependency or something. I think conflicting is too rigid in this case.
>
> Sure, but there are plenty of other MTAs which can be used in place of
> sendmail. Sendmail has a history of security problems; postfix and
> exim have a history of reasonably secure behavior. A machine with
> sendmail installed *isn't* hardened. There may be times when
> Sendmail's functionality is needed, but that couldn't really be called
> a hardened machine any more.
>
> -Brian
>
> --
> Brian Sniffen bts@akamai.com
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Björnkärrsgatan 5 A.11 \
| opal@lysator.liu.se 584 36 LINKÖPING |
| +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: