[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

On Mon, 8 Feb 2021 08:36:34 -0500
Dan Ritter <dsr@randomstring.org> wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 06:41:23 -0500
> > Dan Ritter <dsr@randomstring.org> wrote:
> > 
> > > Gregory Seidman wrote: 
> > > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
> > 
> > ...
> > 
> > > Debian gets security updates in a timely manner (for stable).
> > > 
> > > How's OpenWRT's security team?
> > 
> > I'm not sure if this is a genuine question or a rhetorical one (sorry -
> > tone doesn't always come across well in email), but OpenWRT does have a
> > security process, with advisories, bug fixes, etc.:
> 
> Semi-rhetorical: my experience with OpenWRT and ddWRT is that
> once a device is installed, it never gets an upgrade. I'd be
> happy to learn otherwise.

Rejoice, then! If you choose never to upgrade, that's your choice, but
the project releases point releases every couple of months or so, and
new major versions every year or two:

https://downloads.openwrt.org/releases/

> > https://openwrt.org/docs/guide-developer/security
> > 
> > I suspect the process may not be as good as Debian's, but they do fix
> > at least some serious bugs fairly quickly. E.g., if I'm reading the
> > following pages correctly, the Debian DSAs for the recent serious set of
> > dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> > Security Advisory on Jan. 19:
> 
> That page lists 15 advisories over the last 3 years -- let's say
> 2 years, since this year is just beginning. Four of those
> advisories are for OpenWRT-only problems.
> 
> In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
> Let's discount the desktop software -- that's 8 of them, by my
> count -- because nobody runs desktop software on a router.

I think this is a misleading comparison. It's not just a question
of desktop software - Debian includes vastly more software in general,
for which the security team is responsible, than OpenWRT does. Debian
proudly announces that it comes with "more than 59000 packages":

https://www.debian.org/intro/about

OpenWRT includes merely "several thousand packages" (I can't find an
exact number):

https://openwrt.org/packages/start

So of course Debian is going to have more SAs.

> OpenWRT's security process doesn't look as terrible as it used
> to be, but it doesn't really look good right now, just trying to
> be better.

Again, let's look at specific examples of vulnerabilities present in
both OpenWRT and Debian, and compare the projects' responses. I gave
you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
was issued about two weeks before Debian's.

You feel that OpenWRT's security process "doesn't look good." Based on
what? Can you provide a vulnerability that affects their software that
they dropped the ball on?

> This probably doesn't matter much if you just want a WAP inside
> your house, but I feel confirmed that Debian is still a much
> better choice for an Internet-facing router/firewall.

Celejar
Reply to: