Re: making Debian secure by default

To: debian-user@lists.debian.org
Subject: Re: making Debian secure by default
From: Emanuel Berg <incal@dataswamp.org>
Date: Fri, 29 Mar 2024 10:31:09 +0100
Message-id: <[🔎] 875xx5wfj6.fsf@dataswamp.org>
Mail-followup-to: debian-user@lists.debian.org
References: <[🔎] CAD8GWssBoRrCzW0TSUGxMeuY=y_bTM-nMuSO7_4g1Kyk79fgqQ@mail.gmail.com> <[🔎] ZgT78PHTtJppwDLd@tuxteam.de> <[🔎] 87edbvx7f3.fsf@dataswamp.org> <[🔎] bf3105a4-bfab-4507-a220-81103a5f5c95@home.arpa> <[🔎] 878r22y4dj.fsf@dataswamp.org> <[🔎] ZgXTP7PlNmet+W5q@axis.corp>

David Wright wrote:

>> Ah, surely it can't refer to that as that would be
>> completely ridiculous as it would imply "wanna install
>> stuff? sure, but then it isn't secure anymore".
>
> It's not clear what "isn't secure anymore" means. [...]

It means as soon as you start doing stuff with the software,
it isn't secure anymore. Which is comical to some extent as
doing stuff is the purpose of computers.

So to base security boasting on people having the most
minimal, restricted and inactive system, it is like boasting
this marvelous piece of body armor is guaranteed to not have
a single infantryman killed - just don't go to war.

(Note that now I'm just making fun at the slogan and boasting,
not saying anything negative of their OS necessarily - I've
used it myself, it send pretty good and, indeed, secure.)

>  "Secure by Default"
>
>  "To ensure that novice users of OpenBSD do not need to
>   become security experts overnight (a viewpoint which other
>   vendors seem to have), we ship the operating system in
>   a Secure by Default mode. All non-essential services are
>   disabled. As the user/administrator becomes more familiar
>   with the system, he will discover that he has to enable
>   daemons and other parts of the system. During the process
>   of learning how to enable a new service, the novice is
>   more likely to learn of security considerations."
>
> from https://www.openbsd.org/security.html
> OTOH:
>
>  "There are many applications one might want to use on an
>   OpenBSD system. To make this software easier to install
>   and manage, it is ported to OpenBSD and packaged. The aim
>   of the package system is to keep track of which software
>   gets installed, so that it may be easily updated or
>   removed. In minutes, a large number of packages can be
>   fetched and installed, with everything put in the
>   right place."
>
>  "The ports collection does not go through the same thorough
>   security audit that is performed on the OpenBSD base
>   system. Although we strive to keep the quality of the
>   packages high, we just do not have enough resources to
>   ensure the same level of robustness and security."
>
> from https://www.openbsd.org/faq/faq15.html (Package
> Management).

The more you install, the less secure it gets. Yeah, can't
base the security model on that.

They should do it the other way around, write a piece of
software that breaks everything. Install in on OpenBSD and if
it breakes it, OpenBSD is not more secure than anyone else.
If nothing happens tho most likekly you are safe.

-- 
underground experts united
https://dataswamp.org/~incal

Reply to:

Follow-Ups:
- Re: making Debian secure by default
  - From: David Wright <deblis@lionunicorn.co.uk>

References:
- making Debian secure by default
  - From: Lee <ler762@gmail.com>
- Re: making Debian secure by default
  - From: <tomas@tuxteam.de>
- Re: making Debian secure by default
  - From: Emanuel Berg <incal@dataswamp.org>
- Re: making Debian secure by default
  - From: Michael Kjörling <2695bd53d63c@ewoof.net>
- Re: making Debian secure by default
  - From: Emanuel Berg <incal@dataswamp.org>
- Re: making Debian secure by default
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: making Debian secure by default
Next by Date: Re: Debian 11 PHP 7.4 – Mysql 8 - Can’t get Mysqli_connect to work
Previous by thread: Re: making Debian secure by default
Next by thread: Re: making Debian secure by default
Index(es):
- Date
- Thread