[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Security-HOWTO

Christian Kurz escribió:
> [Please do not send me Ccs, I read the list where I'm posting to. If not
> I explicitly state this at the beginnning of my mail.]

> On 00-12-04 Javier Fernandez-Sanguino Peña wrote:
> > Christian Kurz escribió:
> > >
> > >
> > > >       I have checked it out and would really like to see it included in
> > > >       the DDP and think that debian security guru's should help in
> > >
> > > Well, which package should include this documentation? May I also say,
> > > that some debian security interested guys helped in creating this
> > > document?
> >       As for the first one I do not know, maybe we should create a
> >       debian-security package to provide this kind of information like the
> >       java-common package provides the Java FAQ and the Java policy as
> Well, I think including this documentation into doc-debian would then be
> more sinful, because creating a new package for one document isn't a
> good idea.

	As a matter of fact, all documents in the DDP are made as separate packages,
doc-debian, for example, includes only the FAQ, the package-maintainer the
document of the same name, maint-guide the "New Maintainer Guide", java-common
the "Debian JAVA FAQ". So I would say that the standard procedure is to have
this documents in different packages..

> >       well as being a suited metapackage.  How about having a package
> >       providing this document and some useful scripts (for example
> >       cron.daily updates from security.debian.org) and dependancies on
> >       security-related packages. Kind of a meta-package...
> No, we had one discussion about this some time ago and came to the
> conclusion that such a metapackage isn't a good idea.

	Umm.. I have looked in the archive and I have only seen references to a
meta-package to do automatica updates from the security.debian.org site. Did you
talk on documentation and dependancies too?

> > > >       ideas? Also, since the package would depend on other packages we
> > > >       need to have this in the chrooted environment too, is there an
> > > >       *easy* way to do this?  (without needing to have two package
> > > >       databases)
> > >
> > > No, that's why I think chroots should always be set up by the admin and
> > > not by any tool. And a good idea knows how to create chroots even for
> > > programs using dynamic linking.
> > >
> >       I'm not quite the same thinking here. You could use the powerful package
> > management tools in order to automatically do this like:
> >       (user) - ok I want bind installed but chrooted in /home/bind
> >       (apt/dpkg) - downloading bind
> >       (apt/dpkg) - installing in /home/bind
> No, if you would have read the discussion on debian-devel you would also
> know, that this won't be possible.

	Because the discussion in debian-devel (which I missed but I have read a
resumed text on debian-planet) was centered on other issues. Was the chroot case
pushed into the discussion there.
	I am sorry, I do *not* read debian-devel, I barely have time to keep up with
the weekly news and debian planet summaries.

> >       (apt/dpkg) - checking dependancies of bind
> >       (apt/dpkg) - moving related libraries (to allow dynamic linking) into
> >                       /home/bind
> >       (apt/dpkg) - changing default init.d script to run bind but chrooted into
> >                       /home/bind
> Can always be done via an external script, that the administrator
> starts, if he really wants to chroot the daemon.
> >
> >       (....)
> >       (user) - dpkg --status bind
> >       (dpkg) Package: bind...
> >               Chrooted-in: /home/bind
> Won't work and I think this is somehting that Wichert won't include in
> dpkg. Also you should be free to choose the place to chroot for
> yourself.

	I do know that it will not work since it is not implemented in dpkg. The main
issue here is: "Is it useful? (security-wise)"

> >       Did it make any sense?
> Some and please turn that v-card of.

	Sorry If I do, I sometimes forget to remove it when I send mails... will have
to look on how to do it on a per-address basis.


Reply to: