On 00-12-05 Javier Fernandez-Sanguino Peña wrote:
> Christian Kurz escribió:
> > On 00-12-04 Javier Fernandez-Sanguino Peña wrote:
> > > Christian Kurz escribió:
> > > >
> > > >
> > > > > I have checked it out and would really like to see it included in
> > > > > the DDP and think that debian security guru's should help in
> > > >
> > > > Well, which package should include this documentation? May I also say,
> > > > that some debian security interested guys helped in creating this
> > > > document?
> >
> > > As for the first one I do not know, maybe we should create a
> > > debian-security package to provide this kind of information like the
> > > java-common package provides the Java FAQ and the Java policy as
> >
> > Well, I think including this documentation into doc-debian would then be
> > more sinful, because creating a new package for one document isn't a
> > good idea.
> As a matter of fact, all documents in the DDP are made as separate packages,
> doc-debian, for example, includes only the FAQ, the package-maintainer the
> document of the same name, maint-guide the "New Maintainer Guide", java-common
> the "Debian JAVA FAQ". So I would say that the standard procedure is to have
> this documents in different packages.
Well, now we have two or three different formats, so an extra package
would be alright, but I had the one format in mind and create a package
for 1 doc is a bit to much. :)
> > > well as being a suited metapackage. How about having a package
> > > providing this document and some useful scripts (for example
> > > cron.daily updates from security.debian.org) and dependancies on
> > > security-related packages. Kind of a meta-package...
> >
> > No, we had one discussion about this some time ago and came to the
> > conclusion that such a metapackage isn't a good idea.
> Umm.. I have looked in the archive and I have only seen references
> to a meta-package to do automatica updates from the
> security.debian.org site. Did you talk on documentation and
> dependancies too?
Yes, look in the archives, I think the discussion was on -devel. But you
should be able to find it.
> > > > > ideas? Also, since the package would depend on other packages we
> > > > > need to have this in the chrooted environment too, is there an
> > > > > *easy* way to do this? (without needing to have two package
> > > > > databases)
> > > >
> > > > No, that's why I think chroots should always be set up by the admin and
> > > > not by any tool. And a good idea knows how to create chroots even for
> > > > programs using dynamic linking.
> > > >
> > > I'm not quite the same thinking here. You could use the powerful package
> > > management tools in order to automatically do this like:
> >
> > > (user) - ok I want bind installed but chrooted in /home/bind
> > > (apt/dpkg) - downloading bind
> > > (apt/dpkg) - installing in /home/bind
> >
> > No, if you would have read the discussion on debian-devel you would also
> > know, that this won't be possible.
> Because the discussion in debian-devel (which I missed but I have
> read a resumed text on debian-planet) was centered on other issues.
> Was the chroot case pushed into the discussion there. I am sorry, I
> do *not* read debian-devel, I barely have time to keep up with the
> weekly news and debian planet summaries.
Yes, this issue came also up and it was noticed, that this is absolutely
not possible and would be to difficult.
> > > (apt/dpkg) - checking dependancies of bind (apt/dpkg) -
> > > moving related libraries (to allow dynamic linking) into
> > > /home/bind (apt/dpkg) - changing default init.d script to
> > > run bind but chrooted into /home/bind
> >
> > Can always be done via an external script, that the administrator
> > starts, if he really wants to chroot the daemon.
> > >
> > > (....)
> >
> > > (user) - dpkg --status bind (dpkg) Package: bind...
> > > Chrooted-in: /home/bind
> >
> > Won't work and I think this is somehting that Wichert won't include
> > in dpkg. Also you should be free to choose the place to chroot for
> > yourself.
> I do know that it will not work since it is not implemented in dpkg.
> The main issue here is: "Is it useful? (security-wise)"
No, because for example you should force the admin to use a certain dir
for chroots. The admin should also be free to decide where he want to
put the chroot.
> > > Did it make any sense?
> >
> > Some and please turn that v-card of.
> Sorry If I do, I sometimes forget to remove it when I send mails...
> will have to look on how to do it on a per-address basis.
Well, depends on your mailer. With mutt it would be possible to do that.
Ciao
Christian
--
Debian Developer and Quality Assurance Team Member
1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpIZ0ykHnumr.pgp
Description: PGP signature