Re: Question for DPL Candidates: Debian $$$
Moving back onto the list after some private discussion.
>From my point of view, I am not sure how much of this can be easily
solved by throwing money at the problem, unless hiring tech writers is
something the project as a whole considers a valid use of our money.
(I am, entirely unconvinced that this would have a positive impact on
the project, especially given that people are already writing
documentation for Debian for free.)
That said, I do believe that we could do better with documentation.
For example, the security Debian how-to is very good, but we could go a
lot further in better documenting how to do things like user auth with
a central LDAP server which manages both SSH keys and passwords.
I know it's possible, because Debian uses something along those lines
for it's own systems, but I am unaware of any documentation describing
how to _duplicate_ this sort of thing.
And PCI auditors in my experience respond better to being told that 'We
did X by following document Y produced by Z' then a home grown solution.
It might be just as good, but in the end it involves quite a lot less
paperwork.
The same could be said for setting up a Debian machine to do many of the
tasks that PCI requires a company have systems for. It may be very easy
to set up a central syslog server, but the auditors react better to
saying that you followed documents from 'trusted' sources. And at least
in my experience, the distribution itself is usually considered one of
these sources.
But as I said, these are not things we can easily solve by spending
money.
Zephaniah E. Hull.
On Thu, Mar 26, 2009 at 11:26:53AM +0000, Mark Brown wrote:
> On Thu, Mar 26, 2009 at 02:28:21AM -0400, Zephaniah E. Hull wrote:
> > On Wed, Mar 25, 2009 at 01:15:02PM +0000, Mark Brown wrote:
>
> > > This is also an issue in some other industries for things like the PCI
> > > DSS (http://en.wikipedia.org/wiki/PCI_DSS), FWIW.
>
> > Taken with a grain of salt, but I can't recall any part of the PCI
> > DSS which Debian doesn't comply with at least as well as Redhat does.
>
> The issue is not if we comply, it's if we've got certification saying
> that we comply - the people who care about this stuff need to have the
> certification.
>
> > Which is to say, on the server or desktop side PCI does not require
> > certification or independent evalutaion of the OS or applications, just
> > that given practices be followed. (Some of them are a bit, odd, or
> > downright insane, but.)
>
> > Now, the issues with stuff embedded into credit card terminals or ATMs
> > gets a lot nastier. Most of that goes into the hardware side, but I
> > have not had to go through a PCI audit on those, so I'm not sure what
> > all is involved.
>
> My understanding is that it's an issue on the server side as well if
> you're pushing the interesting data through there. I also understand
> that some of it is things like verifying that relevant security updates
> have been applied which is a best practice sort of thing but is
> something that people can do in a canned way with some OS knowledge.
>
>
> --
> To UNSUBSCRIBE, email to debian-vote-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
Reply to: