Re: How secure is an installation with with no non-free packages?
On Fri, 2013-09-13 at 09:57 +0900, Joel Rees wrote:
> On Fri, Sep 13, 2013 at 8:42 AM, adrelanos <adrelanos@riseup.net> wrote:
> > adrelanos:
> >> How secure is a Debian installation packages installed only from main,
> >> none from contrib or non-free?
> >>
> >> It will lack for example the firmware-linux-nonfree package and the
> >> intel-microcode / amd-microcode package. At least the microcode one is
> >> security relevant? Are there any other packages which might be important
> >> to have installed for security reasons?
> >>
> >> I mean, how secure is it in comparison with those packages installed vs
> >> not having them installed?
> >>
> >>
> >
> > I apologize, I didn't want to start a discussion of Open Source vs
> > closed source. (Feel free to have it, I am delighted to read your
> > thoughts on it, but I'd be also happy about an answer to the question I
> > meant to ask but failed to properly state.) Sorry for not asking clear
> > in the first place.
> >
> > To rephrase my original question:
> >
> > How vulnerable is Debian installation without intel-microcode /
> > amd-microcode package?
>
> No one knows.
>
> We can only guess. Our guess includes an assumption that Intel or AMD
> would or would not deliberately sabotage their products at the
> instigation of an organization like the Chinese/Taiwanese government
> or the NSA or some similar equivalent or not-so-equivalent secret
> organization.
>
> Ken Thompson gave us the archetype response on this question when he
> described a way to grandfather a backdoor password into (the libraries
> used by) a C compiler such that it would not show in the source but
> would be present in the object. I assume you have read his essay on
> trusting trust?
>
> (1) All we can say for sure is that anything that is open is
> inherently more open than anything that is closed.
>
> (2) Anything we didn't build ourselves may be deliberately sabotaged.
>
> (3) Anything we do build ourselves will have accidental gaping holes.
>
> (4) When we work with friends, we can do more than when we work alone.
>
> None of that tells us how bad Intel and AMD are screwing up, and which
> directions they are running with the ball in the hardware camp. They
> are primarily concerned with features that sell or otherwise obviously
> make them money. Until sometime in the future (closer now than a year
> ago), security does not sell, does not obviously make them money.
> --
> Joel Rees
>
> Be careful where you see conspiracy.
> Look first in your own heart.
>
>
4.1: and when we share our sources (not just in the sense of giving
away, but using the same codebase), we exposed ourselves together and
share the same risks. We stand together.
"There is no such a thing as absolute security" (Many et al). Only 3
letter agencies believe, or pretend to, on such crap. Life in inherently
chaos and change. This dream of absolute control serves to keep us
docile servants of private interests. Free software does not promise
perfect security, it offers a different perspective on software
development motifs which "battles" the long going effort to subdue users
and keep them that way.
But battles are not won overnight, they are a life path the we set to
follow and endure, without any guarantees other than that we will die
anyway. Free software is a path, not the "One Final Answer". That would
be 42.
Reply to: