[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why is Debian not secure by default?



On Sun, 23 Jan 2011 09:04:32 +0100
Sven Joachim <svenjoac@gmx.de> wrote:

> On 2011-01-23 07:29 +0100, Rico Secada wrote:
> 
> > After having brushed up on some technical aspects of security I would
> > like to understand why Debian isn't secure be default.
> >
> > As we all know a lot of security breaches occur because of overflow
> > errors. Difference protective measurements has been developed for
> > example such as "executable space protection".
> >
> > As seen in this list of comparison both Fedora and SUSE are running
> > with some method of protection enabled by default whereas Debian isn't.
> >
> > http://en.wikipedia.org/wiki/Comparison_of_Linux_distributions#Security_features
> >
> > Another example is "stack checking" in GCC where for example OpenBSD
> > ships with this setting as "enabled-by-default" whereas it is
> > "off-by-default" on Debian.
> >
> > I would like to understand why Debian is running with this policy of
> > "security is off by default"?
> 
> Basically because the developers cannot agree where the hardened
> compiler options should be implemented.  You can get more information by
> reading http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688.
> 
> Sven
> 

This was detailed in a release from the security team today:

> * Hardening compiler flags
>
> Debian is currently one of the few distributions that doesn't enable hardening
> options in the compiler that protect packages against certain types of
> vulnerability. There has been work on this for a longer time but it didn't
> yet come to fruition. A Birds of a Feather-session will be organised at the
> upcoming Debian Conference to get all involved people together and implement
> this.

So, in short, it's happening.  Just slowly.

-- 
rbmj


Reply to: