Re: Debians security features in comparison to Ubuntu
Joel Rees dijo [Sat, May 17, 2014 at 10:06:41PM +0900]:
> > The problem is, that Debian lacks a page similar to:
> > https://wiki.ubuntu.com/Security/Features
>
> Is that page really useful? I mean, besides as a sort of sales brochure?
Agree with this. It would be nice to have such a page, but having it
means we'd have to remember to keep it up to date. And it provides
little value but (precisely) being a sales brochure. So... :)
> I did note that the debian pages on security are a bit dated.
>
> I suppose I should lend a hand there if I can find the time. How about
> you, do you have the time? You don't have to start out understanding
> the whole list, you just have to be willing to look up the debian
> packages, learn how their setup works, and write down what you
> learned, discuss it on the appropriate lists, then write up some
> summaries and submit them. If you do good work, you'll be invited to
> assume responsibility for some of the wiki pages.
Right. And if the pages are generally seen as meaningful and well
done, they might later become part of the "official" non-wiki
webpage.
> >> This will be an issue with any OS you
> >> choose, even seriously secure OSses like openBSD.
> >
> > Is OpenBSD a seriously secure OS?
>
> I suppose it's easier to get into an openbsd server than it is to fly
> to the moon, but if you set up an openbsd server and keep it updated,
> attackers will generally find it easier to try social engineering
> instead of attacking the server directly.
>
> Modulo the services you run, but that's true of any OS. If you are
> running a hypertext protocol server and it has a hole, you have a hole
> in your server.
That last paragraph is, I found, the most important. Very few people
run OpenBSD in its default install (other than for firewalls or
similar stuff). Once you set up a webserver with dynamically generated
content, a DBMS, and similar stuff... Well, you will find the "ports"
(their term for our "packages") are not supported, and staying up to
date is not as trivial as with Debian.
OpenBSD is a *great* project and has contributed with many very
important techniques. They have audited and improved many important
packages (and the work they are currently doing with Open^WLibreSSL is
just one such example). I would never say their work is not worth
following. But as a sysadmin, many years ago I found Debian to be much
preferrable — Because it cares about the overall security of a very
large, very complex and wide-reaching set of programs, not just a core
operating system around which to build whatever is needed.
> > Last time I checked, OpenBSD didn't provide signed packages for the
> > package manager by default. Using OpenBSD signed packages for updating
> > only seemed ridiculously complicated.
>
> Basically, you're supposed to buy the CDs from the project. CDs are a
> bit harder to spoof than dns, and they come out every six months.
The CDs are a way to support (read: fund) the project. To keep your
install up-to-date, you must download (unsigned!) patches from
Internet, apply them to the tree and rebuild the needed parts of the
OS. You are supposed to read the patches to understand what you are
doing, although I'm certain many people don't — That's why I wrote an
auto-patcher back in 2003 (http://gwolf.org/soft/tepatche/ — It's
amazing how bitrot affects even my webpages :-| )... But yes, nowadays
I'd be much more uneasy with fetching code from a given FTP server and
pushing it automatically into my systems.
Reply to: