On Thu, Jun 17, 2004 at 03:15:51PM +0200, Kim wrote: > Hi All. > > I have been working with Debian for about 3 years now using it as > different server solutions. > > The other day I came about the Adamantix distribution. Adamantix is a > distribution that aims to be very secure and very hard to crack. The (...) > Why is this level of security not the standart of Debian? There are several things you should notice here: 1.- There is a kernel-patch-adamantix package and many of the Adamantix-specific tools (RSBAC tools mainly) are included in unstable and supported fully. It is not provided by default since it breaks a number of things (X, for example). This is a similar situation as with exec-shield and SElinux in Debian. 2.- Besides the kernel changes, Adamantix recompiles the distribution with a GCC patch that should limit buffer overflows, this one is called SPP (formerly known as ProPolice). Steven Kemp is currently testing its impact (see http://shellcode.org/Cat/). Gcc 3.3 does not yet include the patch per default since it has not been sufficiently tested on non-i386 archs AFAIK (see #233208 and #213994 for more information) There have been a number of discussions at -devel regarding this patch (browse the archives) So, regarding Debian vs Adamantix: 1.- the Adamantix kernel can be "made" on stock Debian, an admin has to do it himself since it's not provided per default, however. This will provide you RSBAC+PaX 2.- the pre-compiled packages are not available currently in Debian, but you can re-compile them yourself. Debian might provide, in the future, a i386 'flavor' that is compiled with SPP. However, this will be a different "architecture" (just like i386 is different from sparc) and that means there is a need for mirror space and porters. So, even though all those features are currently easier to be found on Adamantix (after all it's a very feature-specific distribution) they will be available in Debian, fully supported and maybe even within the default installation, sometime in the future. How can you speed it up? Help get more testing/documentation done for the Adamantix-specific things and help make this new 'i386-spp' flavor available by testing both the SPP patches and packages compiled with SPP enabled. Notice that Adamantix's FAQ is not correct in some of the points they make (see http://www.adamantix.org/faq.html). You can submit bugs to Debian's BTS if they are related to any of the above. > > Futher information is provided at [1]http://www.trusteddebian.org/ That link is not correct, and might be deprecated in the future, use www.adamantix.org HTH Javier PS: I will try to find some time to add this information to the Debian Security Manual.
Attachment:
signature.asc
Description: Digital signature