Attempts at security (was Re: Draft spec for new dpkg "triggers" feature)

[Ian Jackson <ian@davenant.greenend.org.uk>]

Russell Coker writes ("Re: Draft spec for new dpkg "triggers" feature"):
> On Friday 02 February 2007 00:02, Ian Jackson <ian@davenant.greenend.org.uk> 
> wrote:
> > If you want a general purpose hook, or some crazy SE-Linux-specific
> > feature, then you should probably propose one.  Personally I think a
> > general purpose hook feature would probably be abused so should not be
> > provided, and I think SE-Linux is no more than an interesting research
> > project and should not be deployed (ever) so obviously we shouldn't
> > have any code in dpkg for it.
> 
> I'm curious, do you have the same attitude towards non-executable stack 
> (Exec-Shield/PaX/OpenWall), Poly-Instantiated directories, and PIE 
> executables?

This is rather off-topic but since you ask, no, I don't have the same
attitude towards those.  My objection to SE Linux is based on the
complexity required to make anything of it, and as we all know
complexity is the enemy of security.  SE Linux makes the situation
worse, not better.

> I'm just wondering if you want Debian to have less security than
> Fedora in all areas.

Have you stopped beating your wife ?

Ian.