Re: Debians security features in comparison to Ubuntu
On 17.05.2014 21:33, Gunnar Wolf wrote:
> Joel Rees dijo [Sat, May 17, 2014 at 10:06:41PM +0900]:
>>> The problem is, that Debian lacks a page similar to:
>> Is that page really useful? I mean, besides as a sort of sales brochure?
> Agree with this. It would be nice to have such a page, but having it
> means we'd have to remember to keep it up to date. And it provides
> little value but (precisely) being a sales brochure. So... :)
>> I did note that the debian pages on security are a bit dated.
>> I suppose I should lend a hand there if I can find the time. How about
>> you, do you have the time? You don't have to start out understanding
>> the whole list, you just have to be willing to look up the debian
>> packages, learn how their setup works, and write down what you
>> learned, discuss it on the appropriate lists, then write up some
>> summaries and submit them. If you do good work, you'll be invited to
>> assume responsibility for some of the wiki pages.
> Right. And if the pages are generally seen as meaningful and well
> done, they might later become part of the "official" non-wiki
>>>> This will be an issue with any OS you
>>>> choose, even seriously secure OSses like openBSD.
>>> Is OpenBSD a seriously secure OS?
>> I suppose it's easier to get into an openbsd server than it is to fly
>> to the moon, but if you set up an openbsd server and keep it updated,
>> attackers will generally find it easier to try social engineering
>> instead of attacking the server directly.
>> Modulo the services you run, but that's true of any OS. If you are
>> running a hypertext protocol server and it has a hole, you have a hole
>> in your server.
> That last paragraph is, I found, the most important. Very few people
> run OpenBSD in its default install (other than for firewalls or
> similar stuff). Once you set up a webserver with dynamically generated
> content, a DBMS, and similar stuff... Well, you will find the "ports"
> (their term for our "packages") are not supported, and staying up to
> date is not as trivial as with Debian.
> OpenBSD is a *great* project and has contributed with many very
> important techniques. They have audited and improved many important
> packages (and the work they are currently doing with Open^WLibreSSL is
> just one such example). I would never say their work is not worth
> following. But as a sysadmin, many years ago I found Debian to be much
> preferrable — Because it cares about the overall security of a very
> large, very complex and wide-reaching set of programs, not just a core
> operating system around which to build whatever is needed.
>>> Last time I checked, OpenBSD didn't provide signed packages for the
>>> package manager by default. Using OpenBSD signed packages for updating
>>> only seemed ridiculously complicated.
>> Basically, you're supposed to buy the CDs from the project. CDs are a
>> bit harder to spoof than dns, and they come out every six months.
> The CDs are a way to support (read: fund) the project. To keep your
> install up-to-date, you must download (unsigned!) patches from
> Internet, apply them to the tree and rebuild the needed parts of the
> OS. You are supposed to read the patches to understand what you are
> doing, although I'm certain many people don't — That's why I wrote an
> auto-patcher back in 2003 (http://gwolf.org/soft/tepatche/ — It's
> amazing how bitrot affects even my webpages :-| )... But yes, nowadays
> I'd be much more uneasy with fetching code from a given FTP server and
> pushing it automatically into my systems.
Hi, there I am a happy Debian and Arch user and have seen some FUD
flying by recently about OpenBSD, so I thought I might as well correct it:
OpenBSD 5.5 <= The newest Release on may 1, 2014
They have added signify:
Releases and packages are now cryptographically signed with the
* The installer will verify all sets before installing.
* Installing without verification works, but is discouraged.
* Users are advised to verify the installer (bsd.rd, install55.iso,
etc.) ahead of time using the signify(1)
tool if available.
only trusts signed packages by default.
So finally OpenBSD also got signed packages.