Re: [developers-l] Re: [debian-devel] Re: security enhanced debian branch?

[Steve Kemp <skx@debian.org>]

On Thu, Dec 18, 2003 at 11:53:22PM +0100, Peter Busser wrote:

> It is IMHO a good idea to put back stuff from Adamantix in Debian. Currently
> I am fully occupied by development of RSBAC support in Adamantix, so I cannot
> do it myself. But anyone who wants to work on this stuff for Debian can join
> #adamantix on irc.freenode.org or send e-mail. There are always people on
> #adamantix who are willing to share information and answer questions
> (including so called stupid questions). Even if you don't know much about this
> stuff, we can get you up to speed and try to help when you get stuck.

  Is it not the case that the RSBAC stuff conflicts with the stuff that
 is going to be in the mainling 2.6 kernel?  (Such was my impression but
 I could easily be confused).

> People who talk badly about Adamantix either do not know what they are talking
> about or do so deliberately. I.e. by spreading FUD, making it look like a fight
> between ``us'' and ``them'', as if there is nothing in common between the two
> projects. All in all, it seems to me that there are a few people in Debian who
> think that it is against their personal interest when Adamantix stuff is added
> to Debian, even though it is clear that it is in the interest of all Debian
> users to have better security.

  More security work is good.  More security stuff in Debian is good.

  However, as an outside observer, it appears to me that the Adamantix
  project is not interested in contributing back - quoting from the
  motivation page[1]:

  	"But adoption by other distributions so far has been slow.
	Energy has been wasted on politically driven efforts rather than
	in providing better solutions. This is not a very desirable
	situation.  

	...

	Therefore Adamantix is going to be a fully capable Linux
	distribution, with graphical desktop, graphical installer,
	hardware auto detection, sound, multimedia, etc.. In other
	words: Everything you can expect from a modern Linux system with
	more or less the same ease of use. Only more secure than other
	Linux systems"

  This to me suggests that Adamantix wants to "go it alone" and become
 yet another standalone distribution.  (I'm not suggesting for a moment
 that this is a bad thing in itself if you have enough resources to
 support it).

  I infer from this that you (the project) would not wish to get stuff
 back into Debian proper - as this would remove your distinction as
 being a secure Linux distribution and weaken your adoption.

  I'd be happy to be proved wrong, and would welcome pollenation in
 both directions - I just haven't noticed any yet.  (Possibly because
 I've been unobservent, very likely in my job-hunting state ;)

> Anyone related to Adamantix that I know of has been helpful with helping
> others, including Debian users and developers. There is a good relationship
> with Gentoo hardened. And there is no reason at all why there is no such
> relation between Debian and Adamantix. A good start would be if some Debian
> developer started to write a plan for putting Adamantix stuff in Debian. Then
> we can discuss it and determine what needs to be done by whom. And then start
> working on it.

  I'd be interested in hearing what the Adamantix people believed to be
 a reasonable approach for merging stuff back - but it does seem that
 they should be the people to write the plan, after all they know what
 they're working on - whereas outside Debian developers don't!

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/