Re: making Debian secure by default

To: debian-user@lists.debian.org
Subject: Re: making Debian secure by default
From: David Wright <deblis@lionunicorn.co.uk>
Date: Thu, 28 Mar 2024 15:29:51 -0500
Message-id: <[🔎] ZgXTP7PlNmet+W5q@axis.corp>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 878r22y4dj.fsf@dataswamp.org>
References: <[🔎] CAD8GWssBoRrCzW0TSUGxMeuY=y_bTM-nMuSO7_4g1Kyk79fgqQ@mail.gmail.com> <[🔎] ZgT78PHTtJppwDLd@tuxteam.de> <[🔎] 87edbvx7f3.fsf@dataswamp.org> <[🔎] bf3105a4-bfab-4507-a220-81103a5f5c95@home.arpa> <[🔎] 878r22y4dj.fsf@dataswamp.org>

On Thu 28 Mar 2024 at 12:36:56 (+0100), Emanuel Berg wrote:
> Michael Kjörling wrote:
> 
> >> "Secure by default" is an OpenBSD slogan BTW. Or they have
> >> made it into one at least. But I'm not sure it is any more
> >> secure than Debian - maybe.
> >> 
> >>   https://www.openbsd.org/security.html
> >
> > If I'm not mistaken, OpenBSD is "secure by default" by being
> > "extremely minimalistic by default".
> >
> > Last I looked, which in fairness was a while ago, a default
> > installation of OpenBSD includes almost nothing that normal,
> > present-day users would expect to find on their system. [...]
> 
> Ah, surely it can't refer to that as that would be completely
> ridiculous as it would imply "wanna install stuff? sure, but
> then it isn't secure anymore".

It's not clear what "isn't secure anymore" means. But anyway,

 “"Secure by Default"

 “To ensure that novice users of OpenBSD do not need to become
  security experts overnight (a viewpoint which other vendors seem to
  have), we ship the operating system in a Secure by Default mode.
  All non-essential services are disabled. As the user/administrator
  becomes more familiar with the system, he will discover that he has
  to enable daemons and other parts of the system. During the process
  of learning how to enable a new service, the novice is more likely
  to learn of security considerations.”

from https://www.openbsd.org/security.html
OTOH:

 “There are many applications one might want to use on an OpenBSD
  system. To make this software easier to install and manage, it is
  ported to OpenBSD and packaged. The aim of the package system is to
  keep track of which software gets installed, so that it may be easily
  updated or removed. In minutes, a large number of packages can be
  fetched and installed, with everything put in the right place.

 “The ports collection does not go through the same thorough security
  audit that is performed on the OpenBSD base system. Although we
  strive to keep the quality of the packages high, we just do not have
  enough resources to ensure the same level of robustness and
  security.”

from https://www.openbsd.org/faq/faq15.html (Package Management).

Cheers,
David.

Reply to:

Follow-Ups:
- Re: making Debian secure by default
  - From: Emanuel Berg <incal@dataswamp.org>

References:
- making Debian secure by default
  - From: Lee <ler762@gmail.com>
- Re: making Debian secure by default
  - From: <tomas@tuxteam.de>
- Re: making Debian secure by default
  - From: Emanuel Berg <incal@dataswamp.org>
- Re: making Debian secure by default
  - From: Michael Kjörling <2695bd53d63c@ewoof.net>
- Re: making Debian secure by default
  - From: Emanuel Berg <incal@dataswamp.org>

Prev by Date: Re: making Debian secure by default
Next by Date: Re: making Debian secure by default
Previous by thread: Re: making Debian secure by default
Next by thread: Re: making Debian secure by default
Index(es):
- Date
- Thread