Re: Task harden.

To: debian-devel@lists.debian.org
Subject: Re: Task harden.
From: Ola Lundqvist <opal@debian.org>
Date: Mon, 2 Apr 2001 23:40:26 +0200
Message-id: <[🔎] 20010402234026.B17036@diamond.opal.dhs.org>
Mail-followup-to: Ola Lundqvist <opal@debian.org>, debian-devel@lists.debian.org
Reply-to: opal@debian.org
In-reply-to: <[🔎] 87zodzovhg.fsf@uwo.ca>; from jdc@uwo.ca on Mon, Apr 02, 2001 at 05:14:03PM -0400
References: <[🔎] 20010401222607.A3570@diamond.opal.dhs.org> <[🔎] 873dbsb6y6.fsf@uwo.ca> <[🔎] 20010402003302.C3570@diamond.opal.dhs.org> <[🔎] 87zodzovhg.fsf@uwo.ca>

On Mon, Apr 02, 2001 at 05:14:03PM -0400, Dan Christensen wrote:
> Conflicts are too strong.
> 
Well I do not think so (see below).

> > > have a certain insecure package installed, but I want my machine
> > > to be as secure as possible subject to that constraint.  I
> > > wouldn't be able to use task-harden for this if it conflicts
> > > with that package.
> > 
> > No that is true. But this is a task-foo package and is just used
> > to help you out. But to make this useful at all it has to
> > conflict something.
> > 
> > Well how du you suggest that I should do?
> 
> I suggest a script that provides warnings about packages that are
> installed and which might be security problems.  This should include
> pointers to more information.  This would be easy to write.  Also, as
> people come up with more ideas, more things could be checked by this
> script.  The package containing this script could drop something in
> /etc/apt/apt.conf.d so that the script is run during every installation.

Well that is an idéa that I can extend this with. Maybe I'll create
something like this and make task-harden depend on it.

> This is much more flexible than what you propose.  I may want to make
> use of your package, but might want to have telnetd installed with tcp
> wrappers allowing access from just one local machine, or something
> like that.  Conflicts are too strong.

Well yes it is more flexible but it is also harder to use. My idéa
is/was to use the dependency system. You can still install things
with --force-... and you can recompile things with different names
to get around this if you need such special cases.

> I want the advice and knowledge that a group of people compile
> about the security of Debian and my machine.  But I don't want
> to be forced to accept their decisions.

Well maybe I'll extend this with a autogenerated control file
and some other tools that gets its data from some description file.

But not yet. :)

If you think it is easy to write such a checking tool you are welcome
to do so. I just do not have that time right now. Maybe I'll do that
but not this weak anyway. :)

Regards,

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Reply to:

References:
- Task harden.
  - From: Ola Lundqvist <opal@debian.org>
- Re: Task harden.
  - From: Dan Christensen <jdc@uwo.ca>
- Re: Task harden.
  - From: Ola Lundqvist <opal@debian.org>
- Re: Task harden.
  - From: Dan Christensen <jdc@uwo.ca>

Prev by Date: Re: Task harden.
Next by Date: Re: ITP: libmpeg3 -- an mpeg audio and video decoding library
Previous by thread: Re: Task harden.
Next by thread: Global secure install requested flag(Re: Task harden.)
Index(es):
- Date
- Thread