[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Will 2.4.20 Source be patched for the latest kernel vulnerability?



on Wed, Dec 03, 2003 at 04:57:29PM +0100, Adam ENDRODI (borso@vekoll.saturnus.vein.hu) wrote:
> On Wed, Dec 03, 2003 at 06:46:51AM -0800, Karsten M. Self wrote:
> > on Wed, Dec 03, 2003 at 01:31:29PM +0000, Dale Amon (amon@vnl.com) wrote:
> > > On Wed, Dec 03, 2003 at 03:21:57PM +0200, Riku Valli wrote:
> > > > This is reason why i ask what about stock kernels, because i belive i am not
> > > > lonely cowboy at the middle of the no where. Debian is distrubution and
> > > 
> > > Probably not... it is just that amongst a security conscious
> > > group you are likely to find that most will build their own
> > > kernels and add their own security patches. Paranoia is your friend
> > > in security.
> 
> [...]
> > Having a team that shares experience and combines talents in patching a
> > kernel and tuning it to secure configurations is a preferable approach.
> 
> I tend to disagree.  The kernel is a versatile program, it can be
> patched, configured and compiled in too many ways.  

...including many of which are wrong, broken, or suboptimal.

This doesn't preclude shipping configurations, or even configuration
files, which meet many or sufficing case needs.  Nor does it mean that
you can't patch your own, if you choose.

I already count seven builds of the 2.4.20 kernel on x86 architecture,
fitting specific needs of different specific kernel types as well as
uni- and multi-processor systems.


> As far as I know, Debian is not is not intended to best fit the needs
> of a security architecture, but to provide a usable environment to the
> mass of slightly advanced skills.  

I see Debian much as Ian Murdoch's described as a distribution
infrastructure on which you can build what you specifically need,
through package selection, and if necessary, modification.

Debian offers three different hardening options -- bastille, the harden*
group of packages, and the SELinux* set of packages.

There are a number of metapackages targeting specific "vertical markets"
for Debian, including DebianJr., and IIRC a primary/secondary education
target.  While not specifically addressing security contexts, these *do*
point out that the Debian Project is a platform on which specific goals
can be supported.


> The requirements often conflict, and while the developers do their
> best to fulfill as many as possible of them (for instance, by creating
> alternative kernel packages), in certain situation they might choose
> to prefer something else over security.

I disagree.

The dependencies and package-management capabilities of Debian make it a
preferred base from which to build a secure system.  This can be as a
full system, capable of apt-get updates itself, or a minimal, bootable
system lacking the requirements of a full Debian system, but built using
the Debian infrastructure.  By contrast, OpenBSD, the "other" secure
platform, is very specifically hardened, but is 


> To sum up, it's always great to have a chance to learn from
> the more experienced, but I don't expect them to do my homework.
> They are not supposed to.

You're missing the point of collaborative development.

For the individual, or group, which puts the effort into building a
secure architecture, Debian offers distribution, bugtracking, QC, and
release mechanisms which can prove highly useful.  In the specific case
of kernel hardening, there's the question of how to package and
structure things in a way that's useful across other axes of variance
(arches, SMP/UP, server/workstation/desktop, etc.), but the task isn't
impossible.


> > While you _might_ do well on your own, the typical admin doesn't have
> > these skills.
> 
> As times go I'm more and more convinced you're right.  Conversely...
> we're on debian-security, after all.

;-)


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  Information is not power after all: Old-fashioned power is power. If you
  aren't big industry or government, you have very little power. Once they've
  hacked the electronic voting system, you'll have no power at all.
  - Robert X. Cringely

Attachment: pgp5UPz2s4ALf.pgp
Description: PGP signature


Reply to: