X and non-X packages (Re: Attempts at security)

[Oleg Verych <olecom@flower.upol.cz>]

> From: Lars Wirzenius
> Newsgroups: gmane.linux.debian.devel.general
> Subject: Re: Attempts at security
> Date: Sat, 03 Feb 2007 14:05:30 +0000

Hallo.

> On la, 2007-02-03 at 12:37 +0100, Hendrik Sattler wrote:
>> > > Not being able to change the cause to the better doesn't mean to
>> > > introduce a mess to control the result.  And I really hope that Debian
>> > > never considers installing+enabling selinux by default.
>> >
>> > IIRC, debian/etch already does already install selinux today without you
>> > even noticing it.
>> 
>> It is not enabled by default. That is the other point: you get that selinux 
>> integration if you want or not.
>
> Debian has made similar decisions throughout its history: we generally
> don't provide separate X and non-X versions of the same package, for
> packages where this is a build time option, for example. That is also a
> cost every Debian user pays: increased disk and memory usage, even if
> they don't use X at all.

I'm the one, who don't need X, but emacs21 is linked to some X, even to
(ugly) 3d scollbars, that i hate. Thus, i whould say it's a *very* big
disadvantage.

Also i want to ask, if you don't mind. Thanks.

While there are plenty of possibilities to contribute to Debian as whole,
and in particular, it's very hard for me to even build package with
`apt-get source && debian/rules build`. If there are documents on topic
of configuring self build packages, please point them to me.

But i would really like to have something, like
,-*-
|package-0.1.7: $ ./debian/rules help
`-*-

very brief description how to configure, build package, or to have
maintainer's configuration to play with (if this information isn't
KNOW-HOW ;).

apt-build is debian's version of gentoo-like philosophy, and i would like
to have it fully used by me.

> In order to keep the complexity of the entire Debian system manageable,
> we need to make those choices. If we, as a project, are of the opinion
> that providing SELinux support is a good thing, then everything in
> Debian that needs to be changed for the support to exist needs to be
> changed, even if the individual maintainer thinks SELinux isn't useful.

As there are *-static and non static packages of executable, e2fsck as
example, i think, it's not very hard to have some other differences,
such as *-x -nox, etc.

As for SELinux and other security stuff, as it was mentioned in lkml,
security requires money (big money). But if users of offtopic system
are using Administrator, as they want to have only Word && solitaire,
and time of half-oses, like Win9X, passed, it's their problems with
security and stuff, like having passwords sticking on the screen.
I'm not admin of server fields, but my opinion f.e. on openssh-server's
default config with "rootlogins: on" is bad, also, i've found that to
have numerous configuration for it is very difficult, due to how
/etc/init.d/ssh is written (my laptop and server are with real IPs,
and to have dummy ssh:22 as good idea, also to have 2-3 dummies around
real one on some other port is very good (as logs say) obscurity ;)

As for execsheild, vDSO address space randomization and stuff like this,
software was buggy long before that features were implemented (famous
bind, sendmail etc.), thus i wouldn't rely strongly on it.

Kind regards.
--
-o--=O`C
 #oo'L O
<___=E M