[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why Linux, Why Debian

On Fri, Feb 13, 2004 at 05:12:12PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:

> On Fri, Feb 13, 2004 at 11:24:59AM +0000, Andrew Suffield wrote:
> > I think that regular Debian equals or beats the exact claims made as to
> > openbsd's "security" (which aren't much - just regarding holes in the
> > default install that can lead to a remote root compromise). Note that
> > this mostly says "We have a default install that doesn't do anything,
> > too".
> Umm.. it's really a default install with no network services, which is
> usually quite ok for most users. Our "default" general install is much
> more bloated. Our priorities have improved from release to release but, in
> the eternal struggle of what's default, we have chosen usability vs.
> security.  OpenBSD has chosen the former.

If by our "default" install you mean Priority: standard, then I do not agree
that this is quite ok for much of anybody.  It's too much for a minimal
system like a router, and too little for a desktop or server which needs to
get work done.

> > In terms of real-world security there appears to be no difference
> > between Debian and openbsd at this time. SELinux would be significantly
> > better, but Debian can hardly claim to support that at present.
> I disagree on the differences: W^X and protection against stack overflows
> (ProPolice), introduced in 3.3 [1] make a significant difference IMHO,
> Debian kernels or user-level programs do not provide any kind of
> protection against buffer/stack overflows currently [2]. 

Andrew was talking about real-world security, not protection for
hypothetical vulnerabilities.  Even so, I disagree with him, in that the
frequency of local root vulnerabilities published in the Linux kernel since,
say, the Woody release, is abhorrent.  The Linux kernel is a component of
practically every Debian system in existence, so it should meet any
definition of "default install".

> Also, the user-space has been audited, something we cannot say we have done
> ourselves. [3]

Neither Debian nor OpenBSD has audited all of the user-space programs that
they ship.  Which part of user-space are you referring to?

 - mdz

Reply to: