Re: Why Linux, Why Debian
On Fri, Feb 13, 2004 at 05:12:12PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Fri, Feb 13, 2004 at 11:24:59AM +0000, Andrew Suffield wrote:
> > I think that regular Debian equals or beats the exact claims made as to
> > openbsd's "security" (which aren't much - just regarding holes in the
> > default install that can lead to a remote root compromise). Note that
> > this mostly says "We have a default install that doesn't do anything,
> > too".
> Umm.. it's really a default install with no network services, which is
> usually quite ok for most users. Our "default" general install is much
> more bloated. Our priorities have improved from release to release but, in
> the eternal struggle of what's default, we have chosen usability vs.
> security. OpenBSD has chosen the former.
If by our "default" install you mean Priority: standard, then I do not agree
that this is quite ok for much of anybody. It's too much for a minimal
system like a router, and too little for a desktop or server which needs to
get work done.
> > In terms of real-world security there appears to be no difference
> > between Debian and openbsd at this time. SELinux would be significantly
> > better, but Debian can hardly claim to support that at present.
> I disagree on the differences: W^X and protection against stack overflows
> (ProPolice), introduced in 3.3  make a significant difference IMHO,
> Debian kernels or user-level programs do not provide any kind of
> protection against buffer/stack overflows currently .
Andrew was talking about real-world security, not protection for
hypothetical vulnerabilities. Even so, I disagree with him, in that the
frequency of local root vulnerabilities published in the Linux kernel since,
say, the Woody release, is abhorrent. The Linux kernel is a component of
practically every Debian system in existence, so it should meet any
definition of "default install".
> Also, the user-space has been audited, something we cannot say we have done
> ourselves. 
Neither Debian nor OpenBSD has audited all of the user-space programs that
they ship. Which part of user-space are you referring to?