Joel Rees dijo [Sat, May 17, 2014 at 10:06:41PM +0900]: > > The problem is, that Debian lacks a page similar to: > > https://wiki.ubuntu.com/Security/Features > > Is that page really useful? I mean, besides as a sort of sales brochure?
Agree with this. It would be nice to have such a page, but having it means we'd have to remember to keep it up to date. And it provides little value but (precisely) being a sales brochure. So... :) > I did note that the debian pages on security are a bit dated. > > I suppose I should lend a hand there if I can find the time. How about > you, do you have the time? You don't have to start out understanding > the whole list, you just have to be willing to look up the debian > packages, learn how their setup works, and write down what you > learned, discuss it on the appropriate lists, then write up some > summaries and submit them. If you do good work, you'll be invited to > assume responsibility for some of the wiki pages. Right. And if the pages are generally seen as meaningful and well done, they might later become part of the "official" non-wiki webpage. > >> This will be an issue with any OS you > >> choose, even seriously secure OSses like openBSD. > > > > Is OpenBSD a seriously secure OS? > > I suppose it's easier to get into an openbsd server than it is to fly > to the moon, but if you set up an openbsd server and keep it updated, > attackers will generally find it easier to try social engineering > instead of attacking the server directly. > > Modulo the services you run, but that's true of any OS. If you are > running a hypertext protocol server and it has a hole, you have a hole > in your server. That last paragraph is, I found, the most important. Very few people run OpenBSD in its default install (other than for firewalls or similar stuff). Once you set up a webserver with dynamically generated content, a DBMS, and similar stuff... Well, you will find the "ports" (their term for our "packages") are not supported, and staying up to date is not as trivial as with Debian. OpenBSD is a *great* project and has contributed with many very important techniques. They have audited and improved many important packages (and the work they are currently doing with Open^WLibreSSL is just one such example). I would never say their work is not worth following. But as a sysadmin, many years ago I found Debian to be much preferrable — Because it cares about the overall security of a very large, very complex and wide-reaching set of programs, not just a core operating system around which to build whatever is needed. > > Last time I checked, OpenBSD didn't provide signed packages for the > > package manager by default. Using OpenBSD signed packages for updating > > only seemed ridiculously complicated. > > Basically, you're supposed to buy the CDs from the project. CDs are a > bit harder to spoof than dns, and they come out every six months. The CDs are a way to support (read: fund) the project. To keep your install up-to-date, you must download (unsigned!) patches from Internet, apply them to the tree and rebuild the needed parts of the OS. You are supposed to read the patches to understand what you are doing, although I'm certain many people don't — That's why I wrote an auto-patcher back in 2003 (http://gwolf.org/soft/tepatche/ — It's amazing how bitrot affects even my webpages :-| )... But yes, nowadays I'd be much more uneasy with fetching code from a given FTP server and pushing it automatically into my systems. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140517193308.ga4...@gwolf.org