Re: package for security advice
On Sat, Mar 07, 2020 at 11:46:54AM -0600, Jonathan Hutchins wrote:
> The only way to achieve real security is through knowledge. Pressing a
> shiny automated button is just going to implement what somebody else thinks
> is good for the system they assume you're running. Find the security
> websites, podcasts, newsletters, books. Learn what you really need to do
> for your actual case, not what somebody else thinks you should do. Learn
> what is superstitious paranoia that will never even come close to a private
> personal system.
By your logic, we shouldn't bother taking any steps to help our users
secure their systems. Everything should be on them. This may come as a
surprise to you, but many computer users (I'll stop short of saying
anything about "the vast majority"), have no interest whatsoever in
"security websites, podcasts, newsletters, books". But guess what,
they're still using computers, and they're not going to stop. We can
either help them do so a little more safely, or we can watch them fail.
One of these choices is aligned with our social contract.
> If you're going to run a public web server, mail server, or whatever, one
> run of a script is not going to keep you secure. You need to know what the
> actual attack vectors can be, and need to be prepared for a threat that
> nobody's thought of yet.
Why? *Somebody* certainly needs to think about these things, but the
notion that *everybody* needs to do so to the deepest possible level
ignores the reality of human nature. It is our responsibility as a
Linux distribution to make difficult OS management tasks easier, and
that includes taking reasonable steps to configure a system for use on
> Microsoft tells you all you have to do is click the little check box that
> turns on the security they've built and you're all safe.
We're not talking about Microsoft.