On Thu, Jun 17, 2010 at 6:12 PM, Burlynn Corlew Jr <burlynn@xxxxxxxxx> wrote: > I am going to vote that you please do not CC all of this to arch-general. > Many of us are not concerned with this, and already this afternoon I've seen > enough mail regarding it that I can see it as a problem. The arch-security > list has been denied, and it seems to me all this is doing is trying to > circumvent the denial. Your google group is your business, but I feel that > forwarding to arch-general, the most popular list we have, is unfair to > those who do not wish to be involved. beh, finally :-D and i agree with others that if you're not interested in following the rolling release for 'security reasons' then you're probably headed for more complications than it's worth. security is a vast a wide concept, full of crevasses and bear traps. 'securing' and auditing an entire distribution full of a heterogeneous software is the job of a full-time paid staff of security experts, engineers, and upstream developers. even that may not produce much. anything less will add complexity due to naive diagnosis, and will not be worth the massive amount of time expended in the process. however, you can be a security conscious administrator. learn in depth the specific systems/daemons/applications that you depend on. learn them, and really understand their roles, relationships, and I/O points in relation to the other software on the system. monitor your systems and look for that which does not fit. security is the responsibility of those deploying, not those packaging. it requires end-to-end oversight and complete configuration toward a specific and particular purpose; something that is not possible for those creating a distribution for a generic, multi-purpose user base.
