Re: Secure OS's

To: debian-user@lists.debian.org
Subject: Re: Secure OS's
From: dircha <dircha@dircha.com>
Date: Mon, 10 May 2004 12:39:46 -0500
Message-id: <[🔎] 409FBE62.3060107@dircha.com>
In-reply-to: <[🔎] 1084196320.409f85e05573c@www.thirdaspect.net>
References: <1083173508.408fea8450928@www.thirdaspect.net> <409051C5.5050005@yahoo.es> <[🔎] 1084196320.409f85e05573c@www.thirdaspect.net>

paul@thirdaspect.net wrote:

I guess what I mean by a secure os is an os whose packages themselves
are secure, obviously if someone doesn't set up a server securely, it
doesn't matter how secure the packages are.  Like wise, if a person
set up a server keeping security as a priority, all their efforts are
for naught if the package is built insecurely, (like the common
buffer overflow).

I know that debian releases security patches that solve many of these
 issues, when the come up.  However, this process leads me to believe
that the packages in general are not built with security in mind(which makes sense because most people programming an editor areprobably not terribly concerned about curious users monkeying aroundwith their programs too much).
How important of an issue do you guys feel this is and do you thinkprojects like bastille are important towards this effort? Also, Ido not know of any other debian compatible security packages andwould love to learn more about them.

Whether or not a software application itself is security-minded isprimarily a judgment call about the application's developers, itssecurity model, and its maturity.

You say, "all their efforts are for naught if the package is builtinsecurely, (like the common buffer overflow)". This is usually not thedomain of the distribution or packager.

When 99.9% (eh?) of the development work is done by the upstreamdeveloper, looking elsewhere to make security judgments about thesoftware would seem to be a mistake.

Just because a software application has been packaged in a distributionfor 6 years, does not mean that it is in any way secure or even "moresecure". It may have a user base of 10 people. That the software isavailable as a .deb tells you very little beyond an expectation that itwill be version compatible with the rest of the distribution.


The distribution package - the .deb - is security neutral.

Further, I do not believe there is a 1:1 correspondence between softwarewhich is packaged and software which it is worthwhile to divert peopleresources to for development or testing.

Shouldn't development and testing resources be allocated by the upstreamdevelopers and those who fund them?


dircha

Reply to:

Follow-Ups:
- Re: Secure OS's
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

References:
- Re: Secure OS's
  - From: paul@thirdaspect.net

Prev by Date: Re: Recommendation on Digital Cameras that work well with linux....and...
Next by Date: Re: Recommendation on Digital Cameras that work well with linux....and...
Previous by thread: Re: Secure OS's
Next by thread: Re: Secure OS's
Index(es):
- Date
- Thread