Re: [developers-l] Re: [debian-devel] Re: security enhanced debian branch?

[peter@devbox.adamantix.org (Peter Busser)]

Hi!

On Thu, Dec 18, 2003 at 06:39:28PM +0000, Magos?nyi ?rp?d wrote:
> A levelez?m azt hiszi, hogy Matt Zimmerman a k?vetkez?eket ?rta:
> > On Thu, Dec 18, 2003 at 09:07:02AM -0400, Ben Armstrong wrote:
> > > Second, any such effort shouldn't be a branch, but should be mainstreamed in 
> > > Debian proper.  Please see http://wiki.debian.net/CustomDebian for a 
> > > possible approach for this sort of project.
> > For cases where the added functionality is provided by additional packages,
> > this is easy.  However, some of the things which are being experimented with
> > include compiler patches to produce binaries which make certain types of
> > exploits more difficult, and that kind of thing is not easy to merge into
> > Debian proper.
> 
> I think this kind of stuff could be handled in new architectures. For
> example the Adamantix project could be merged back by creating
> an architecture i386-adamantix for the stack protected stuff, and 
> the other parts being a "CDD" by the terminology of the above link.

Such solutions have been discussed since Trusted Debian 1.0 was released,
which was end of April this year. But discussions do not get the work done.

> (I do not know enough about the history of the project to tell if its
> developers would consider merging back a good idea or an organisational
> impossibility. But the main point is not about that, or even that project
> in particular.)

Merging is a bad idea. Adamantix and Debian are different projects with
different goals.

It is IMHO a good idea to put back stuff from Adamantix in Debian. Currently
I am fully occupied by development of RSBAC support in Adamantix, so I cannot
do it myself. But anyone who wants to work on this stuff for Debian can join
#adamantix on irc.freenode.org or send e-mail. There are always people on
#adamantix who are willing to share information and answer questions
(including so called stupid questions). Even if you don't know much about this
stuff, we can get you up to speed and try to help when you get stuck.

People who talk badly about Adamantix either do not know what they are talking
about or do so deliberately. I.e. by spreading FUD, making it look like a fight
between ``us'' and ``them'', as if there is nothing in common between the two
projects. All in all, it seems to me that there are a few people in Debian who
think that it is against their personal interest when Adamantix stuff is added
to Debian, even though it is clear that it is in the interest of all Debian
users to have better security.

Anyone related to Adamantix that I know of has been helpful with helping
others, including Debian users and developers. There is a good relationship
with Gentoo hardened. And there is no reason at all why there is no such
relation between Debian and Adamantix. A good start would be if some Debian
developer started to write a plan for putting Adamantix stuff in Debian. Then
we can discuss it and determine what needs to be done by whom. And then start
working on it.

Groetjes,
Peter Busser