[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: status of introducing security mechanisms in Debian


On Tue, Feb 08, 2011 at 01:33:12PM +0100, mircan@poczta.onet.pl wrote:
> Hi,
> I'm writing with reference to security test performed by MWR Labs last
> year. To avoid writing too much I'll just give links to the articles
> describing the tests:
> http://labs.mwrinfosecurity.com/notices/security_mechanisms_in_linux_environment__part_1___userspace_memory_protection/
> http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_into_the_kernel/

Including compile time hardening options has been discussed for a long
time, but efforts is probably laking of people willing to push it. You can
see some historical pages on the wiki [1].

Seems that this might be a release goal for weezy, or at least it will
probably be discussed at the next debconf as the debian security team
stated in their last mail on debian-devel-announce after their last
meeting [2].

I've myself begin to bug report [3] against some packages to include
hardening-wrapper in the build-deps after having almost sucesfully rebuild
most of the packages available in the main section. Since then, Im waiting
the debconf to see the path that will be choosen to implement this

> As stated in the articles in Debian Lenny there were very little of
> available security mechanisms of the Linux environment included. I
> just wanted to know what is the status of this in Squeeze and also
> rise a release goal for Wheezy to enable some pro-active security
> mechanisms mentioned in the articles. For example, I guess enabling
> PIE in iceweasel, other web browsers and network daemons is worth
> taking into consideration. I know my point is extremely general, I
> just hope to start a discussion about this topic.
> Thanks,
> Marcin

[1] http://wiki.debian.org/Hardening
[2] http://lists.debian.org/debian-devel-announce/2011/01/msg00006.html
[3] http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=hardening;users=debian-security@lists.debian.org

Reply to: