Re: Debian Security-HOWTO
Christian Kurz escribió:
>
> [Please do not send me Ccs, I read the list where I'm posting to. If not
> I explicitly state this at the beginnning of my mail.]
Ok.
>
> On 00-12-04 Javier Fernandez-Sanguino Peña wrote:
> > Christian Kurz escribió:
> > >
> > >
> > > > I have checked it out and would really like to see it included in
> > > > the DDP and think that debian security guru's should help in
> > >
> > > Well, which package should include this documentation? May I also say,
> > > that some debian security interested guys helped in creating this
> > > document?
>
> > As for the first one I do not know, maybe we should create a
> > debian-security package to provide this kind of information like the
> > java-common package provides the Java FAQ and the Java policy as
>
> Well, I think including this documentation into doc-debian would then be
> more sinful, because creating a new package for one document isn't a
> good idea.
As a matter of fact, all documents in the DDP are made as separate packages,
doc-debian, for example, includes only the FAQ, the package-maintainer the
document of the same name, maint-guide the "New Maintainer Guide", java-common
the "Debian JAVA FAQ". So I would say that the standard procedure is to have
this documents in different packages..
>
> > well as being a suited metapackage. How about having a package
> > providing this document and some useful scripts (for example
> > cron.daily updates from security.debian.org) and dependancies on
> > security-related packages. Kind of a meta-package...
>
> No, we had one discussion about this some time ago and came to the
> conclusion that such a metapackage isn't a good idea.
Umm.. I have looked in the archive and I have only seen references to a
meta-package to do automatica updates from the security.debian.org site. Did you
talk on documentation and dependancies too?
>
> > > > ideas? Also, since the package would depend on other packages we
> > > > need to have this in the chrooted environment too, is there an
> > > > *easy* way to do this? (without needing to have two package
> > > > databases)
> > >
> > > No, that's why I think chroots should always be set up by the admin and
> > > not by any tool. And a good idea knows how to create chroots even for
> > > programs using dynamic linking.
> > >
> > I'm not quite the same thinking here. You could use the powerful package
> > management tools in order to automatically do this like:
>
> > (user) - ok I want bind installed but chrooted in /home/bind
> > (apt/dpkg) - downloading bind
> > (apt/dpkg) - installing in /home/bind
>
> No, if you would have read the discussion on debian-devel you would also
> know, that this won't be possible.
Because the discussion in debian-devel (which I missed but I have read a
resumed text on debian-planet) was centered on other issues. Was the chroot case
pushed into the discussion there.
I am sorry, I do *not* read debian-devel, I barely have time to keep up with
the weekly news and debian planet summaries.
>
> > (apt/dpkg) - checking dependancies of bind
> > (apt/dpkg) - moving related libraries (to allow dynamic linking) into
> > /home/bind
> > (apt/dpkg) - changing default init.d script to run bind but chrooted into
> > /home/bind
>
> Can always be done via an external script, that the administrator
> starts, if he really wants to chroot the daemon.
> >
> > (....)
>
> > (user) - dpkg --status bind
> > (dpkg) Package: bind...
> > Chrooted-in: /home/bind
>
> Won't work and I think this is somehting that Wichert won't include in
> dpkg. Also you should be free to choose the place to chroot for
> yourself.
I do know that it will not work since it is not implemented in dpkg. The main
issue here is: "Is it useful? (security-wise)"
>
> > Did it make any sense?
>
> Some and please turn that v-card of.
>
Sorry If I do, I sometimes forget to remove it when I send mails... will have
to look on how to do it on a per-address basis.
Javi
Reply to: