Comments interspersed on a few points. On Thu, 2010-06-17 at 15:35 -0700, Miah Johnson wrote: > I think there is much more that can be done besides the short list from > Ananda. The thing you have to remember is that "security" does not mean "I'm > running the newest code.". > > Things to remember: > 1. There is no such thing as "secure". > 2. Proper security consists of multiple layers of defense. > > Additional examples of things the AST could do: > 1. Propose changes to default configuration files to be "more secure", and > have more documentation around setting up services in a more secure fashion. Except with very good reasons, I doubt its a good idea to make more changes to default configuration files than necessary, its against the 'upstream as much as possible' policy. The rest sounds fine, though I'm not sure about point 3 since I'm not familiar with what sort of control the initscript has at the moment. > 2. Assist with SELinux & GRsecurity projects. > 3. Propose changes to initscripts to make sure software drops privileges and > chroots where possible, or at least make it easier to enable such features. > 4. pie / ssp > 5. PaX > 6. Audits > > This list is by no means complete, but the end goal should be to make things > more secure. The other thing to remember is that just because you are > running the latest rev of code, it doesn't mean there aren't > vulnerabilities, or unpatched issues. Developers don't always consider > issues that could be security issues to be security issues, or don't they > understand the security implications of certain issues. > > Lastly, just because Arch is a rolling release it doesn't mean that > everybody that uses it just updates everything at a whim. Some people do > believe in change control and it may be useful for those people to be aware > of security issues in certain packages that need to be updated. Not > everybody does a daily/weekly/monthly system update. For some people > "stability" is a feature. Some people might choose to upgrade packages which > are security conscious while taking caution to upgrade a package they > are dependent on. My OPINION is that Arch is not a distro for those who do not want to do regular total updates. Of course, some have individual packages in NoUpgrade, but the number of problems which crop up which come down to "you didn't run pacman -Syu!" is an indicator of why its a bad idea.