Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
Celejar wrote:
> On Mon, 8 Feb 2021 06:41:23 -0500
> Dan Ritter <dsr@randomstring.org> wrote:
>
> > Gregory Seidman wrote:
> > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
>
> ...
>
> > Debian gets security updates in a timely manner (for stable).
> >
> > How's OpenWRT's security team?
>
> I'm not sure if this is a genuine question or a rhetorical one (sorry -
> tone doesn't always come across well in email), but OpenWRT does have a
> security process, with advisories, bug fixes, etc.:
Semi-rhetorical: my experience with OpenWRT and ddWRT is that
once a device is installed, it never gets an upgrade. I'd be
happy to learn otherwise.
> https://openwrt.org/docs/guide-developer/security
>
> I suspect the process may not be as good as Debian's, but they do fix
> at least some serious bugs fairly quickly. E.g., if I'm reading the
> following pages correctly, the Debian DSAs for the recent serious set of
> dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> Security Advisory on Jan. 19:
That page lists 15 advisories over the last 3 years -- let's say
2 years, since this year is just beginning. Four of those
advisories are for OpenWRT-only problems.
In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
Let's discount the desktop software -- that's 8 of them, by my
count -- because nobody runs desktop software on a router.
OpenWRT's security process doesn't look as terrible as it used
to be, but it doesn't really look good right now, just trying to
be better.
This probably doesn't matter much if you just want a WAP inside
your house, but I feel confirmed that Debian is still a much
better choice for an Internet-facing router/firewall.
-dsr-
Reply to: