[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Security-HOWTO

[Please do not send me Ccs, I read the list where I'm posting to. If not
I explicitly state this at the beginnning of my mail.]

On 00-12-04 Javier Fernandez-Sanguino Peña wrote:
> Christian Kurz escribió:
> > 
> > 
> > >       I have checked it out and would really like to see it included in
> > >       the DDP and think that debian security guru's should help in
> > 
> > Well, which package should include this documentation? May I also say,
> > that some debian security interested guys helped in creating this
> > document?

> 	As for the first one I do not know, maybe we should create a
> 	debian-security package to provide this kind of information like the
> 	java-common package provides the Java FAQ and the Java policy as

Well, I think including this documentation into doc-debian would then be
more sinful, because creating a new package for one document isn't a
good idea.

> 	well as being a suited metapackage.  How about having a package
> 	providing this document and some useful scripts (for example
> 	cron.daily updates from security.debian.org) and dependancies on
> 	security-related packages. Kind of a meta-package...

No, we had one discussion about this some time ago and came to the
conclusion that such a metapackage isn't a good idea.

> > >       ideas? Also, since the package would depend on other packages we
> > >       need to have this in the chrooted environment too, is there an
> > >       *easy* way to do this?  (without needing to have two package
> > >       databases)
> > 
> > No, that's why I think chroots should always be set up by the admin and
> > not by any tool. And a good idea knows how to create chroots even for
> > programs using dynamic linking.
> > 
> 	I'm not quite the same thinking here. You could use the powerful package 
> management tools in order to automatically do this like:

> 	(user) - ok I want bind installed but chrooted in /home/bind
> 	(apt/dpkg) - downloading bind
> 	(apt/dpkg) - installing in /home/bind

No, if you would have read the discussion on debian-devel you would also
know, that this won't be possible.

> 	(apt/dpkg) - checking dependancies of bind
> 	(apt/dpkg) - moving related libraries (to allow dynamic linking) into
> 			/home/bind
> 	(apt/dpkg) - changing default init.d script to run bind but chrooted into
> 			/home/bind

Can always be done via an external script, that the administrator
starts, if he really wants to chroot the daemon. 
> 	(....)

> 	(user) - dpkg --status bind
> 	(dpkg) Package: bind...
> 		Chrooted-in: /home/bind

Won't work and I think this is somehting that Wichert won't include in
dpkg. Also you should be free to choose the place to chroot for

> 	Did it make any sense?

Some and please turn that v-card of.

          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgpCdudEnGLkZ.pgp
Description: PGP signature

Reply to: