Re: New Google Group for discussion and notices on Arch security.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Comments interspersed on a few points.

On Thu, 2010-06-17 at 15:35 -0700, Miah Johnson wrote:
> I think there is much more that can be done besides the short list from
> Ananda. The thing you have to remember is that "security" does not mean "I'm
> running the newest code.".
> 
> Things to remember:
> 1. There is no such thing as "secure".
> 2. Proper security consists of multiple layers of defense.
> 
> Additional examples of things the AST could do:
> 1. Propose changes to default configuration files to be "more secure", and
> have more documentation around setting up services in a more secure fashion.

Except with very good reasons, I doubt its a good idea to make more
changes to default configuration files than necessary, its against the
'upstream as much as possible' policy. The rest sounds fine, though I'm
not sure about point 3 since I'm not familiar with what sort of control
the initscript has at the moment.

> 2. Assist with SELinux & GRsecurity projects.
> 3. Propose changes to initscripts to make sure software drops privileges and
> chroots where possible, or at least make it easier to enable such features.
> 4. pie / ssp
> 5. PaX
> 6. Audits
> 
> This list is by no means complete, but the end goal should be to make things
> more secure. The other thing to remember is that just because you are
> running the latest rev of code, it doesn't mean there aren't
> vulnerabilities, or unpatched issues.  Developers don't always consider
> issues that could be security issues to be security issues, or don't they
> understand the security implications of certain issues.
> 
> Lastly, just because Arch is a rolling release it doesn't mean that
> everybody that uses it just updates everything at a whim. Some people do
> believe in change control and it may be useful for those people to be aware
> of security issues in certain packages that need to be updated. Not
> everybody does a daily/weekly/monthly system update. For some people
> "stability" is a feature. Some people might choose to upgrade packages which
> are security conscious while taking caution to upgrade a package they
> are dependent on.

My OPINION is that Arch is not a distro for those who do not want to do
regular total updates. Of course, some have individual packages in
NoUpgrade, but the number of problems which crop up which come down to
"you didn't run pacman -Syu!" is an indicator of why its a bad idea.



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux