I'm not claiming that Mandrake are insecure , just saying that there are
more secure systems.
Let's take two other operating system that are in general "secure" and
compare them to Mandrake
The first one Debian
Debian releases packages in two groups Stable and Unstable , Stable has been
tested for security and that it's actually stable on a running server.
All packages released to Mandrake are directly from the CVS , almost anyway,
and the bugtesting is up to the user , the package released
haven't been tested enough(It takes some time to go through the code to
remove obvious and less obvious exploit possibilities, it also takes time to
remove
bugs that can make your product vunerable to DOS attacks).
Debian has an established way to patch the system called apt-get , you can
run it from a script every hour if you feel like it.
You use it like this and as you can see it connect's to a server containing
all the latest patches to keep your system "secure".
Login via SSH(Secure Shell)
Beefy:/etc/X11/xdm# apt-get update
Hit http://security.debian.org stable/updates/main Packages
Hit http://security.debian.org stable/updates/main Release
Hit http://security.debian.org stable/updates/contrib Packages
Hit http://security.debian.org stable/updates/contrib Release
Hit http://security.debian.org stable/updates/non-free Packages
Hit http://security.debian.org stable/updates/non-free Release
Hit http://http.us.debian.org stable/main Packages
Hit http://http.us.debian.org stable/main Release
Hit http://http.us.debian.org stable/contrib Packages
Hit http://http.us.debian.org stable/contrib Release
Hit http://http.us.debian.org stable/non-free Packages
Hit http://http.us.debian.org stable/non-free Release
Hit http://non-us.debian.org stable/non-US/main Packages
Hit http://non-us.debian.org stable/non-US/main Release
Hit http://non-us.debian.org stable/non-US/contrib Packages
Hit http://non-us.debian.org stable/non-US/contrib Release
Hit http://non-us.debian.org stable/non-US/non-free Packages
Hit http://non-us.debian.org stable/non-US/non-free Release
Reading Package Lists... Done
Building Dependency Tree... Done
Beefy:/etc/X11/xdm# apt-get upgrade
Reading Package Lists... Done
Building Dependency Tree... Done
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Beefy:/etc/X11/xdm#
Yes you have mandrakeupdate which is a gui tool , how do you use that one on
a server located 500 miles from you with the only
possibilty to login is SSH(If you use telnet or RSH your main concern isn't
security) , you could do it manually = it might not be done that often --->
You've got yourself an insecure system.
Another thing :
A mail from debian security , concerning all distros,
July 28, 2001
- ------------------------------------------------------------------------
Package : apache,apache-ssl
Problem type : remote exploit
Debian-specific : no
Couldn't find anything about it on the Mandrake security list and what I
could see the last patch released from Mandrake was released 2001-07-25 ,
went through the bugtraq list
and found several things that should affect the Mandrake distribution , but
nothing could be found att Mandrake security ,you can check for yourself in
the bugtraq archives.
The last thing a quote taken from the fw dist of Mandrake "Easy to use
remote web interface" , The reason for running a webserver on a firewall ,
to make it more secure? don't think so.
The other one OpenBSD, well a quote from http://www.openbsd.org says it all
:)
"Four years without a remote hole in the default install!"
I work as a System Administrator for stockmarket systems and we have
security and stability as our main focus , we run every system on Debian and
our firewalls are running OpenBSD.
A few last word , want this thread to end , a system isn't more secure then
the person who administer it makes it , but if he doesn't have the means to
keep it secure it won't be secure.
And yes I rather choose Mandrake on a firewall then a Windows version , but
why not choose the most secure system while you're at it?
> On Fri, 10 Aug 2001, Marco Wesselgren wrote:
>
> > For your information , I'm not flaming Mandrake , just pointing out that
it
> > might not be the best choice if you're going to run a firewall or
another
> > system that are being exposed to potential threats.
>
> What precisely is so insecure about Mandrake compared with other distros?
> I mean, if you make such statement, you should have some reason.
>
> -andrej
>
