[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debians security features in comparison to Ubuntu

On 17.05.2014 21:33, Gunnar Wolf wrote:
> Joel Rees dijo [Sat, May 17, 2014 at 10:06:41PM +0900]:
>>> The problem is, that Debian lacks a page similar to:
>>> https://wiki.ubuntu.com/Security/Features
>> Is that page really useful? I mean, besides as a sort of sales brochure?
> Agree with this. It would be nice to have such a page, but having it
> means we'd have to remember to keep it up to date. And it provides
> little value but (precisely) being a sales brochure. So... :)
>> I did note that the debian pages on security are a bit dated.
>> I suppose I should lend a hand there if I can find the time. How about
>> you, do you have the time? You don't have to start out understanding
>> the whole list, you just have to be willing to look up the debian
>> packages, learn how their setup works, and write down what you
>> learned, discuss it on the appropriate lists, then write up some
>> summaries and submit them. If you do good work, you'll be invited to
>> assume responsibility for some of the wiki pages.
> Right. And if the pages are generally seen as meaningful and well
> done, they might later become part of the "official" non-wiki
> webpage.
>>>> This will be an issue with any OS you
>>>> choose, even seriously secure OSses like openBSD.
>>> Is OpenBSD a seriously secure OS?
>> I suppose it's easier to get into an openbsd server than it is to fly
>> to the moon, but if you set up an openbsd server and keep it updated,
>> attackers will generally find it easier to try social engineering
>> instead of attacking the server directly.
>> Modulo the services you run, but that's true of any OS. If you are
>> running a hypertext protocol server and it has a hole, you have a hole
>> in your server.
> That last paragraph is, I found, the most important. Very few people
> run OpenBSD in its default install (other than for firewalls or
> similar stuff). Once you set up a webserver with dynamically generated
> content, a DBMS, and similar stuff... Well, you will find the "ports"
> (their term for our "packages") are not supported, and staying up to
> date is not as trivial as with Debian.
> OpenBSD is a *great* project and has contributed with many very
> important techniques. They have audited and improved many important
> packages (and the work they are currently doing with Open^WLibreSSL is
> just one such example). I would never say their work is not worth
> following. But as a sysadmin, many years ago I found Debian to be much
> preferrable — Because it cares about the overall security of a very
> large, very complex and wide-reaching set of programs, not just a core
> operating system around which to build whatever is needed.
>>> Last time I checked, OpenBSD didn't provide signed packages for the
>>> package manager by default. Using OpenBSD signed packages for updating
>>> only seemed ridiculously complicated.
>> Basically, you're supposed to buy the CDs from the project. CDs are a
>> bit harder to spoof than dns, and they come out every six months.
> The CDs are a way to support (read: fund) the project. To keep your
> install up-to-date, you must download (unsigned!) patches from
> Internet, apply them to the tree and rebuild the needed parts of the
> OS. You are supposed to read the patches to understand what you are
> doing, although I'm certain many people don't — That's why I wrote an
> auto-patcher back in 2003 (http://gwolf.org/soft/tepatche/ — It's
> amazing how bitrot affects even my webpages :-| )... But yes, nowadays
> I'd be much more uneasy with fetching code from a given FTP server and
> pushing it automatically into my systems.
Hi, there I am a happy Debian and Arch user and have seen some FUD
flying by recently about OpenBSD, so I thought I might as well correct it:

OpenBSD 5.5 <= The newest Release on may 1, 2014

They have added signify:

Releases and packages are now cryptographically signed with the
<http://www.openbsd.org/cgi-bin/man.cgi?query=signify&sektion=1> utility.

  * The installer will verify all sets before installing.
  * Installing without verification works, but is discouraged.
  * Users are advised to verify the installer (bsd.rd, install55.iso,
    etc.) ahead of time using the signify(1)
    tool if available.
  * pkg_add(1)
    <http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_add&sektion=1> now
    only trusts signed packages by default.

So finally OpenBSD also got signed packages.

Bets regards,

Reply to: