security handling in Debian

To: Alexander Hvostov <vulture@aoi.dyndns.org>
Cc: Daniel Jacobowitz <dan@debian.org>, debian-security@lists.debian.org
Subject: security handling in Debian
From: A.L.Meyers <a.l.meyers@consult-meyers.com>
Date: Fri, 2 Feb 2001 10:08:02 +0100
Message-id: <01020210080201.00636@landhaus>
Reply-to: a.l.meyers@consult-meyers.com
In-reply-to: <Pine.LNX.4.21.0102011247510.26061-100000@cornerstone.core.aoi>
References: <Pine.LNX.4.21.0102011247510.26061-100000@cornerstone.core.aoi>

-----BEGIN PGP SIGNED MESSAGE-----

Dear Alex,

You and your opponent have made the right point:

it currently takes big amounts of knowledge and work to reasonably secure a
system.

Everyone agrees that the Debian package system is great. It saves sysadmins
much time.

Why not do something comparable for security configuration?

We tested OpenBSD. It has advantages (secure by default, up to date
manpages) and disadvantages (e. g. fewer and less comfortable configuration
tools). We used SuSE for 2 years and have recently opted for Debian. Why?

overall system administration time and expenses compared to system quality
(including security) and usability -- we optimize, not maximize

The paradigm shift I suggest is:

"secure by default" which means if someone wants more user ease and
convenience and wishes to trade in some security for it, he should be able
to choose to do so. But one should start with secure.

Motto: this and that

(not this or that)

Greetings,

Lucien

On Thursday 01 February 2001 21:50, Alexander Hvostov wrote:
> Lucien,
>
> I've proposed a secure by default configuration for new Debian
> installations on this list before. It drew harsh criticism from at least
> one person whose belief it was that those who lack the knowledge to secure
> their systems deserve to be rooted. Because of this attitude, and the
> fact that maintainers of several packages of questionable security (eg
> NFS) refuse to move their packages out of `standard' and into `optional'
> or `extra', I have my doubts that Debian will be secure by default anytime
> soon. If secure by default is what you want, you'll probably be better off
> with OpenBSD, where secure by default is their policy.
>
> Regards,
>
> Alex.
>
> ---
> PGP/GPG Fingerprint:
>   EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GCS/CM>CC/IT d- s:+ a16 C++(++++)>$ UL++++>$ P--- L++>++$ E+ W+(-) N+ o?
> K? w---() !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+)
> b+(++) DI(+) D++ G>+++ e--> h! !r y>+++
> ------END GEEK CODE BLOCK------
>
> On Thu, 1 Feb 2001, A. L. Meyers wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > On Thursday 01 February 2001 07:01, Daniel Jacobowitz wrote:
> > > On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote:
> > > > G'day,
> > > >   I'm writing this to express my frustration at the slowness Debian
> > > > seems to be afflicted with when it comes to letting people know
> > > > about our security vulnerabilities and fixes.
> > > >
> > > > We seem to be able to find, fix and upload fixed packages quite
> > > > quickly, however we are usually the last to let others know that
> > > > they should upgrade to the new packages, making our users
> > > > unnecessarily vulnerable.
> > >
> > > I beg your pardon?  This isn't the general case at all.  Your example
> > > is certainly accurate, but to my knowledge lprng is the only thing to
> > > slip through the cracks that way in a year.  We're often behind with
> > > fixes in general, but when we post a fix the advisory generally goes
> > > out the same day!
> > >
> > > Dan
> > >
> > > /--------------------------------\  /--------------------------------\
> > >
> > > |       Daniel Jacobowitz        |__|        SCS Class of 2002       |
> > > |   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
> > > |         dan@debian.org         |  |       dmj+@andrew.cmu.edu      |
> > >
> > > \--------------------------------/  \--------------------------------/
> >
> > Dear GNU/Debianites,
> >
> > "errare humanum est"
> >
> > Even the best are not perfect.
> >
> > But security tracking is one of the areas where open source shines the
> > most.
> >
> > Proprietary closed source systems can't even come remotely close to the
> > security auditing and security improvement controls implemented by open
> > source = open scrutiny.
> >
> > With the security vulnerabilites of the internet, my hope is that there
> > will soon be a paradigm shift to: "secure by default".
> >
> > Greetings,
> >
> > Lucien

--
This message may contain confidential data intended only for the rightful
addressee. Should you receive it by error, please delete it at once and
inform the sender. We encourage the use of encrypted e-mail.
Please visit our web site: http://www.consult-meyers.com

Reply to:

References:
- Re: Disappointment in security handling in Debian
  - From: Alexander Hvostov <vulture@aoi.dyndns.org>

Prev by Date: Re: Disappointment in security handling in Debian
Next by Date: RE: Port Scanning...
Previous by thread: Disabling Accounts
Next by thread: Re: Disappointment in security handling in Debian
Index(es):
- Date
- Thread