[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why Linux, Why Debian

On Fri, Feb 13, 2004 at 11:24:59AM +0000, Andrew Suffield wrote:
> On Thu, Feb 12, 2004 at 05:09:46PM -0600, Manoj Srivastava wrote:
> >  1) Do you think that OpenBSD 's repuation as a secure OS is
> >     justified? Does the secure part of OpenBSD provide a useful platform
> >     for your needs? Would SELinux meet or exceed the needs for a
> >     secure OS for you?
> I think that regular Debian equals or beats the exact claims made as
> to openbsd's "security" (which aren't much - just regarding holes in
> the default install that can lead to a remote root compromise). Note
> that this mostly says "We have a default install that doesn't do
> anything, too".

Umm.. it's really a default install with no network services, which is 
usually quite ok for most users. Our "default" general install is much more 
bloated. Our priorities have improved from release to release but, in the 
eternal struggle of what's default, we have chosen usability vs. security. 
OpenBSD has chosen the former.

> In terms of real-world security there appears to be no difference
> between Debian and openbsd at this time. SELinux would be
> significantly better, but Debian can hardly claim to support that at
> present.

I disagree on the differences: W^X and protection against stack overflows
(ProPolice), introduced in 3.3 [1] make a significant difference IMHO,
Debian kernels or user-level programs do not provide any kind of protection
against buffer/stack overflows currently [2]. 

Also, the user-space has been audited, something we cannot say we have done
ourselves. [3]



[1] http://www.openbsd.org/33.html
[2] Although we have the exec-shield and Adamantix (PaX) patches are now 
available in testing/unstable.
[3] Aside from the excellent work Steve Kemp has done for the moment 
auditing some programs, mostly games, provided in Debian.

Attachment: signature.asc
Description: Digital signature

Reply to: