[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task harden.

On Mon, Apr 02, 2001 at 05:14:03PM -0400, Dan Christensen wrote:
> Conflicts are too strong.
Well I do not think so (see below).

> > > have a certain insecure package installed, but I want my machine
> > > to be as secure as possible subject to that constraint.  I
> > > wouldn't be able to use task-harden for this if it conflicts
> > > with that package.
> > 
> > No that is true. But this is a task-foo package and is just used
> > to help you out. But to make this useful at all it has to
> > conflict something.
> > 
> > Well how du you suggest that I should do?
> I suggest a script that provides warnings about packages that are
> installed and which might be security problems.  This should include
> pointers to more information.  This would be easy to write.  Also, as
> people come up with more ideas, more things could be checked by this
> script.  The package containing this script could drop something in
> /etc/apt/apt.conf.d so that the script is run during every installation.

Well that is an idéa that I can extend this with. Maybe I'll create
something like this and make task-harden depend on it.

> This is much more flexible than what you propose.  I may want to make
> use of your package, but might want to have telnetd installed with tcp
> wrappers allowing access from just one local machine, or something
> like that.  Conflicts are too strong.

Well yes it is more flexible but it is also harder to use. My idéa
is/was to use the dependency system. You can still install things
with --force-... and you can recompile things with different names
to get around this if you need such special cases.

> I want the advice and knowledge that a group of people compile
> about the security of Debian and my machine.  But I don't want
> to be forced to accept their decisions.

Well maybe I'll extend this with a autogenerated control file
and some other tools that gets its data from some description file.

But not yet. :)

If you think it is easy to write such a checking tool you are welcome
to do so. I just do not have that time right now. Maybe I'll do that
but not this weak anyway. :)


// Ola

 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /

Reply to: