Re: Debian and StackGuard
kevin@bestkevin.com writes:
> Hi,
> ok, I talked about it many months ago but...when I think that something is
> right I can't stop that :) so...slink is near to be released, why is so
> hard to make a parallel version of it with all security related
> and involved packages compiled with StackGuard ? Nobody was able to make
> me change idea that it should be a good way to propose Debian to the
> world...
> I think that best ppl that should do that are maintainers, which have
> sources and have only to change path to compiler or something like that
> (never used SG, only heard about it)...
> I hope this time someone else will agree with my idea ;)
There is a StackGuarded Red Hat distribution, for those that are
interested.
StackGuard only protects against a small range of security bugs
(buffer overflows), and imposes a performance penalty. A Debian
system that is kept fully up-to-date should be safe from all the known
exploits.
Doubtless, there will be new buffer overflow exploits discovered in
the future. Debian usually has these fixed within a day or two. New
exploits affecting commonly run daemons are becoming rarer and rarer
as the codebase matures, and is used, audited and debugged by
thousands of users.
Using StackGuard would imply that we mistrust our codebase to be safe
from buffer overflows. It could be viewed as a "crutch" which we'd
end up relying upon instead of fixing the bugs which are the real
problem.
So, for general use, something like StackGuard is a bit overkill -
unless you are paranoid or have special requirements. In those cases,
there's always the Stackguarded Red Hat.
I'm sure if there was enough interest, somebody could organize a
project to build a StackGuarded Debian. But there might not be enough
interest. There are several other systems similar to StackGuard as
well.
Cheers,
- Jim
Reply to: