[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Hardened project (question about use of the "Debian" trademark)



On Fri, Sep 17, 2004 at 10:55:33PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:

> Yes.The `apt-get install hardened? was an example of something 100% easy
> to use :D

  Unfortunately whilst easy to use is good the idea of rebuilding the
 packages presented so far isn't going to be easy to setup.

  Either you end up rebuilding the archive with PaX + SSP + etc and
 distributing that, which then effectively becomes a fork, or you have
 to update the buildd network to include these things *by default*
 which is unlikely to happen in the short term.

> I agree with you, the packages should be just one branch: main.
> Al the packages should include the hardening features as they don't
> interrupt with the software.

  That would be a worthy goal, and something I'd love to see.  I
 suspect that without real testing and a lot of motivation it is
 unlikely to occur quickly though.

> > Now, if you're after creating SELinux, GRSecurity, and RSBAC policies,
> > those can be controlled by boot time parameters to the kernel.  Also, as
> > long as they're off, there's no need for the user to install the policy.
> > ~ Those are the types of things that can *feasibly* be made optional,
> > because they don't require a recompile.
> 
> Yes, i had the same idea, it's fine.
> Recompile WOULDN'T BE NEEDED in any way.

  For those other things?  No that is correct recompiling is not
 required, however for SELinux at least there must be the creation
 and distribution of policies.  There was some discussion on this
 on debian-devel a while back, which I understood to be a lot of
 work.

  Of course no policy is going to apply to all users, so there
 will be a bit of 'unsimpleness' involved for some.


> Yes, PaX flags, etc....
> I agree with you again, there's no need to separate the packages into
> two different brands/branchs.

  So practically, how do you see going forward?

> I think we can collaborate, and i'm really interested in working
> together with the people of the debian project, also with the debian
> security crew (Steve!),

  Assuming you mean me - I'm not associated with the Security people.
 Just to be clear ..

> so, just tell me , i'm waiting for hear a big
> "We think it's great to work with it" and also i think my objectives are
> worthy.

  I, personally, think that having the archive compiled with things
 like PaX/SSP is a good thing.  I suspect that testing it and getting
 it all working is such a large effort that the buildds aren't going
 to switch overnight (if ever) and that changing this is going to be 
 .. religious.

  Practically I'm not sure what this means, the obvious course is
 to build and test things then report back 'hey it works'.  Whether
 that will be sufficient to convince people remains to be seen -
 especially as things look like they are changing anyway.

  (GCC seem to be moving with mudflap and not integrating SSP for
 example).
 
> PS: Good night!

  Good night - 23:38 here, and I'm going to the pub!

Steve
--



Reply to: