| 1 |
Interesting points. But I don't think the hardened mailinglist is the |
| 2 |
right place to discuss general software-design, even if it's security |
| 3 |
related. But who am I to say what's allowed here? :-) |
| 4 |
|
| 5 |
My personal view is that software will always have bugs and security |
| 6 |
holes. That's why it's important to have multiple layers of security. If |
| 7 |
a program/package has a software bug that could lead to security issues |
| 8 |
it doesn't make the whole system unsafe. I think the hardened-project |
| 9 |
comes a long way to address this. It's never gonna be perfect but |
| 10 |
atleast it is IMO a very good start. Secure your services with good |
| 11 |
secure network design, educated users (this goes a long way), patched |
| 12 |
software, correctly and securely configured software, and lastly |
| 13 |
hardening technologies like the stuff gentoo-hardened provides. |
| 14 |
|
| 15 |
Claiming that Linux-developers don't think about security is pretty |
| 16 |
unfair. Even if openbsd have had few remote exploits in its default |
| 17 |
install. There have been alot of remote exploits after you start adding |
| 18 |
usefull applications. An OS is nothing without its apps ;) |
| 19 |
|
| 20 |
As for updates, just upgrade stuff with known holes? Limit the number of |
| 21 |
packages and the number of holes to fix won't be so big. I've also set |
| 22 |
up a glsa-check script to run on cron to e-mail me warnings. No need to |
| 23 |
do emerge -uavD world every week. But I do agree the patching arms-race |
| 24 |
is not optimal. But openBSD and other platforms suffers from the very |
| 25 |
same problem. I don't think we're gonna see a solution to that problem |
| 26 |
in the nearest future. |
| 27 |
|
| 28 |
Probably not the educated answer you were looking for. I mainly wrote it |
| 29 |
for my self to see what i'd come up with. Hope someone else will answer to. |
| 30 |
|
| 31 |
Arne Morten |
| 32 |
|
| 33 |
Jan Klod skrev: |
| 34 |
> Hello, |
| 35 |
> some people in gentoo forum made me ask this one: it is supposed, that regular |
| 36 |
> updates of system is a wise thing to do, but, excuse me, ... those bugs and |
| 37 |
> holes are there before someone say "update them" -- so do you agree, nowdays |
| 38 |
> Linux is never safe? |
| 39 |
> OpenBSD has its own slogan about only very few remote holes in long time -- so |
| 40 |
> it makes an impression, I can install an OpenBSD machine and let it do it's |
| 41 |
> job. |
| 42 |
> Can anyone crash my impression about OpenBSD (and is it still alive enough, by |
| 43 |
> the way?)? |
| 44 |
> How about hardened gentoo in this regard (create system for few, specific |
| 45 |
> purposes and leave it for years without damn update hustle)? |
| 46 |
> |
| 47 |
> I realize, this is "in general", but the question is about software writing |
| 48 |
> style (think when write it or wait for someone to find what is wrong) and |
| 49 |
> ways to protect from bugs (like overflows etc) in software. |
| 50 |
> |
| 51 |
> In ideal world, updates are necessary only to get software, that has new |
| 52 |
> functions -- do we seam to approach it? |
| 53 |
> |
| 54 |
> Jan |
| 55 |
> |
| 56 |
> |
Archives