Re: goals for hardening Debian: ideas and help wanted

To: debian-security <debian-security@lists.debian.org>, debian-devel@lists.debian.org
Cc: pkg-aa-profiles-team@lists.alioth.debian.org, Kees Cook <kees@debian.org>
Subject: Re: goals for hardening Debian: ideas and help wanted
From: intrigeri <intrigeri@debian.org>
Date: Sat, 07 Jun 2014 03:39:20 +0200
Message-id: <[🔎] 85r431h513.fsf@boum.org>
In-reply-to: <alpine.DEB.2.10.1404241841420.15893@capitanata.oa-cagliari.inaf.it> (Giacomo Mulas's message of "Thu, 24 Apr 2014 18:49:20 +0200 (CEST)")
References: <1398308259.7980.49.camel@chianamo> <53587e34.e7d9420a.6e72.ffffd838@mx.google.com> <1398308764.7980.52.camel@chianamo> <alpine.DEB.2.10.1404241121540.8839@capitanata.oa-cagliari.inaf.it> <20140424162515.GB5751@virgil.dodds.net> <alpine.DEB.2.10.1404241841420.15893@capitanata.oa-cagliari.inaf.it>

Hi,

Giacomo Mulas wrote (24 Apr 2014 16:49:20 GMT) :
> Good to know, actually I had tried apparmor quite some time ago and did not
> try again. I will give it another spin as soon as I can.

https://wiki.debian.org/AppArmor/HowTo :)

> However, I do not agree that I should file bugs against apparmor if a debian
> package does not work properly, it should go to the package manager (and
> maybe cc to some apparmor expert team). It cannot be the maintainer(s) of
> apparmor to have to shoulder the effort of creating and maintaining profiles
> for all debian packages.  They may be called in for support, but regular
> package maintainers should be involved IMHO, otherwise it will never really
> take off and provide significantly better security.

IMO, the bug should be filed against the package that ships the
profile: it's not a bug in the apparmor package, that other packages
may feed it with a buggy configuration.

Now, most package maintainers currently don't use AppArmor, and they
may upload AppArmor profiles (e.g. provided by upstream) that won't
work as-is in Debian. We have no clear consensus that we should invest
time, distro-wide, to support AppArmor in Debian, so I don't think we
can blame anyone for this. At least they're giving a chance, for
anyone interested, to actually test these profiles, enjoy it when it
works, and report bugs otherwise.

If the profile is shipped in the same package as the software (as
opposed to what comes from apparmor-profiles), and if the maintainer
lack the resources and/or the interest to take care of such bugs, then
they still have two useful options:

 * ask the AppArmor profiles team (Cc'd) for help to fix the profile,
   in order to go on shipping it along with the software it's about;
   that would be my preferred solution, whenever applicable;

 * drop the profile from their package altogether, and ask
   pkg-aa-profiles for inclusion in the upcoming
   apparmor-profiles-extra package.

I still hadn't time to properly announce the pkg-aa-profiles team, so
no wonder it hasn't taken off yet. Help is welcome:

   https://wiki.debian.org/AppArmor/Contribute

If interested in more background information:
https://lists.debian.org/debian-security/2014/01/msg00008.html

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Reply to:

Prev by Date: Re: Where / what is the repo for netkit-telnetd source packages?
Next by Date: Re: Where / what is the repo for netkit-telnetd source packages?
Previous by thread: Re: Where / what is the repo for netkit-telnetd source packages?
Next by thread: Re: goals for hardening Debian: ideas and help wanted
Index(es):
- Date
- Thread