Hi, I have posted the following idea on my blog [7] to get comments from people not on this list, but obviously this is the mailing list where the proposal should be discussed. :-) ----- Facing last week's Heartbleed [1] bug the need for improving the security of our systems became more apparent than usually. In Debian there are widely used methods for Hardening [2] packages at build time and guidelines [3] for improving the default installations' security. Employing such methods usually come at an expense, for example slower code execution of binaries due to additional checks or additional configuration steps when setting up a system. Balancing between usability and security Debian chose an approach which would satisfy the most users by using C/C++ features [4] which only slightly decrease execution speed of built binaries and by using reasonable defaults in package installations. All the architectures supported by Debian aims using the same methods for enhancing security but it does not have to stay the same way. Amd64 is the most widely used architecture of Debian according to popcon [5] and amd64 hardware comes with powerful CPU-s. I think there would be a significant amount of people (being one of them :-)) who would happily use a version of Debian with more security features enabled by default sacrificing some CPU power and installing and setting up additional packages. My proposal for serving those security-focused users is introducing a new architecture targeting amd64 hardware, but with more security related C/C++ features turned on for every package (currently hardening has to be enabled by the maintainers in some way) through compiler flags as a start. Introducing the new architecture would also let package maintainers enabling additional dependencies and build rules selectively for the new architecture improving the security further. On the users' side the advantage of having a separate security enhanced architecture instead of a Debian derivative is the potential of installing a set of security enhanced packages using multiarch [6]. You could have a fast amd64 installation as a base and run Apache or any other sensitive server from the amd64-hardened packages! ----- What do you think? Would adding a new arch be feasible and a good solution? Cheers, Balint PS: There was a long security related thread on -private which I can't refer to and in which Paul Wise proposed a "secondary high-security (but slower) archive", and while I think it is a very good idea it would not allow mixing fast and secure packages using multiarch. [1] http://heartbleed.com/ [2] https://wiki.debian.org/Hardening [3] https://www.debian.org/doc/manuals/securing-debian-howto/ch-automatic-harden.en.html [4] https://wiki.debian.org/Hardening#Notes_on_Memory_Corruption_Mitigation_Methods [5] http://popcon.debian.org/index.html [6] https://wiki.debian.org/Multiarch [7] http://balintreczey.hu/blog/proposing-amd64-hardened-architecture-for-debian
Attachment:
signature.asc
Description: OpenPGP digital signature