Re: libsafe and Debian installation

To: debian-devel@lists.debian.org
Subject: Re: libsafe and Debian installation
From: Sean Middleditch <elanthis@awesomeplay.com>
Date: 22 Apr 2002 12:42:30 -0400
Message-id: <[🔎] 1019493751.22809.3.camel@smiddle>
In-reply-to: <[🔎] 1019493175.5148.13.camel@zaphod>
References: <[🔎] 1019493175.5148.13.camel@zaphod>

I'd disagree that on a couple of points...

1) If we start asking questions like that, we could make arguments for
asking the user specifically if they want all sorts of other "useful
utilities" installed, to the point where we have 500 questions after
having already selected the packages to install.

2) I don't agree with trying to make a distro do the work of programmers
writing secure software.  If the software installed is buggy enough to
really need the extra security of libsafe, it should be patched or
removed from Debian.  Otherwise, we end up with a lot of people just
depending on libsafe, or programming students simply expecting certain
bugs not to matter on GNU/Linux, since Debian protects against it with
libsafe.

I can fully understand putting this in the install docs.  For example,
in a "Securing your Debian Installation" section or such - if the user
cares about security, they'll read that, see the information on libsafe,
and hopefully a very full description (more than we'd want to put on an
installation disk set) will help them make a more educated choice.

On Mon, 2002-04-22 at 12:32, Shaya Potter wrote:
> Debian provides a nice little library called libsafe.  While libsafe
> isn't perfect, it does provide a real measurable level of security
> against buffer overflow attacks.  It's also very easy to install (all
> one does is install the package and put the library in
> /etc/ld.so.preload) 
> 
> Is there any good reason why an install of Debian should not ask the
> user if they want to install libsafe, and give them reasons why they
> would want to, and possibly not want to (overhead....)
> 
> There are probably some other packages that also provide some real
> security, in a very easy to do manner that we should give users the
> option of using.  Just having the package available doesn't make users
> aware of it.
> 
> wondering what other people think,
> 
> shaya
> 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- libsafe and Debian installation
  - From: Shaya Potter <spotter@cs.columbia.edu>

Prev by Date: Re: C++ ...
Next by Date: Re: libsafe and Debian installation
Previous by thread: libsafe and Debian installation
Next by thread: Re: libsafe and Debian installation
Index(es):
- Date
- Thread