1 |
Interesting points. But I don't think the hardened mailinglist is the |
2 |
right place to discuss general software-design, even if it's security |
3 |
related. But who am I to say what's allowed here? :-) |
4 |
|
5 |
My personal view is that software will always have bugs and security |
6 |
holes. That's why it's important to have multiple layers of security. If |
7 |
a program/package has a software bug that could lead to security issues |
8 |
it doesn't make the whole system unsafe. I think the hardened-project |
9 |
comes a long way to address this. It's never gonna be perfect but |
10 |
atleast it is IMO a very good start. Secure your services with good |
11 |
secure network design, educated users (this goes a long way), patched |
12 |
software, correctly and securely configured software, and lastly |
13 |
hardening technologies like the stuff gentoo-hardened provides. |
14 |
|
15 |
Claiming that Linux-developers don't think about security is pretty |
16 |
unfair. Even if openbsd have had few remote exploits in its default |
17 |
install. There have been alot of remote exploits after you start adding |
18 |
usefull applications. An OS is nothing without its apps ;) |
19 |
|
20 |
As for updates, just upgrade stuff with known holes? Limit the number of |
21 |
packages and the number of holes to fix won't be so big. I've also set |
22 |
up a glsa-check script to run on cron to e-mail me warnings. No need to |
23 |
do emerge -uavD world every week. But I do agree the patching arms-race |
24 |
is not optimal. But openBSD and other platforms suffers from the very |
25 |
same problem. I don't think we're gonna see a solution to that problem |
26 |
in the nearest future. |
27 |
|
28 |
Probably not the educated answer you were looking for. I mainly wrote it |
29 |
for my self to see what i'd come up with. Hope someone else will answer to. |
30 |
|
31 |
Arne Morten |
32 |
|
33 |
Jan Klod skrev: |
34 |
> Hello, |
35 |
> some people in gentoo forum made me ask this one: it is supposed, that regular |
36 |
> updates of system is a wise thing to do, but, excuse me, ... those bugs and |
37 |
> holes are there before someone say "update them" -- so do you agree, nowdays |
38 |
> Linux is never safe? |
39 |
> OpenBSD has its own slogan about only very few remote holes in long time -- so |
40 |
> it makes an impression, I can install an OpenBSD machine and let it do it's |
41 |
> job. |
42 |
> Can anyone crash my impression about OpenBSD (and is it still alive enough, by |
43 |
> the way?)? |
44 |
> How about hardened gentoo in this regard (create system for few, specific |
45 |
> purposes and leave it for years without damn update hustle)? |
46 |
> |
47 |
> I realize, this is "in general", but the question is about software writing |
48 |
> style (think when write it or wait for someone to find what is wrong) and |
49 |
> ways to protect from bugs (like overflows etc) in software. |
50 |
> |
51 |
> In ideal world, updates are necessary only to get software, that has new |
52 |
> functions -- do we seam to approach it? |
53 |
> |
54 |
> Jan |
55 |
> |
56 |
> |