Re: goals for hardening Debian: ideas and help wanted

To: Paul Wise <pabs@debian.org>
Cc: debian-security <debian-security@lists.debian.org>, debian-devel <debian-devel@lists.debian.org>
Subject: Re: goals for hardening Debian: ideas and help wanted
From: Rowan Thorpe <rowan@rowanthorpe.com>
Date: Thu, 24 Apr 2014 11:06:27 +0300
Message-id: <[🔎] 20140424080627.GB31307@hernia>
In-reply-to: <[🔎] 1398308259.7980.49.camel@chianamo>
References: <[🔎] 1398308259.7980.49.camel@chianamo>

On 10:57 Thu 24 Apr 2014, Paul Wise wrote:
> ..[snip]..
> https://wiki.debian.org/Hardening/Goals

Regarding the line (at that page):

> Refuse to install packages that are known to have X number of unplugged
> exploits (i.e. X number of open security bugs in the bug tracker) unless
> e.g. --allow-vulnerable-packages is used. This makes it clear that you are
> installing software that is vulnerable. 

I suggest it might be better if exploits were each given a quick/approximate
"ranking" in terms of severity (and if the severity is unknown it could be
assigned a default median ranking), so that the algorithm you mention wouldn't
just add number of unplugged exploits, but add them by weight. For example:
the recent heartbleed exploit would be worth more than a few smaller exploits
in less critical software, and would be calculated as such...

-- 
PGP fingerprint:
 BB0A 0787 C0EE BDD8 7F97  3D30 49F2 13A5 265D CCBD

Reply to:

Follow-Ups:
- Re: goals for hardening Debian: ideas and help wanted
  - From: Richard van den Berg <richard@vdberg.org>

References:
- goals for hardening Debian: ideas and help wanted
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: goals for hardening Debian: ideas and help wanted
Next by Date: Re: goals for hardening Debian: ideas and help wanted
Previous by thread: Re: goals for hardening Debian: ideas and help wanted
Next by thread: Re: goals for hardening Debian: ideas and help wanted
Index(es):
- Date
- Thread