paul@thirdaspect.net wrote:
I guess what I mean by a secure os is an os whose packages themselves are secure, obviously if someone doesn't set up a server securely, it doesn't matter how secure the packages are. Like wise, if a person set up a server keeping security as a priority, all their efforts are for naught if the package is built insecurely, (like the common buffer overflow). I know that debian releases security patches that solve many of these issues, when the come up. However, this process leads me to believethat the packages in general are not built with security in mind (which makes sense because most people programming an editor are probably not terribly concerned about curious users monkeying around with their programs too much).How important of an issue do you guys feel this is and do you think projects like bastille are important towards this effort? Also, I do not know of any other debian compatible security packages and would love to learn more about them.
Whether or not a software application itself is security-minded is primarily a judgment call about the application's developers, its security model, and its maturity.
You say, "all their efforts are for naught if the package is built insecurely, (like the common buffer overflow)". This is usually not the domain of the distribution or packager.
When 99.9% (eh?) of the development work is done by the upstream developer, looking elsewhere to make security judgments about the software would seem to be a mistake.
Just because a software application has been packaged in a distribution for 6 years, does not mean that it is in any way secure or even "more secure". It may have a user base of 10 people. That the software is available as a .deb tells you very little beyond an expectation that it will be version compatible with the rest of the distribution.
The distribution package - the .deb - is security neutral.Further, I do not believe there is a 1:1 correspondence between software which is packaged and software which it is worthwhile to divert people resources to for development or testing.
Shouldn't development and testing resources be allocated by the upstream developers and those who fund them?
dircha