Re: [leaf-user] Security and LEAF Bering UClibc

Wed, 03 Aug 2005 15:04:14 -0700 

Hi Troy,
I myself do not consider your concerns trivial at all. Probably many people have the same concerns. However I find it very difficult to implement and the main reason is resource. As far as I understand most of the LEAF developers are volunteers and work un-paid for the project so how can we expect that they can find the time and efforts to watch for the security all the time and fix the bugs? I remember Martin Hejl saying that there are a lot of new features they can add but they do not have enough time. 


However they did an excellent job of creating a build-environment and you 
can build the LRP yourself if needed. In your case, I suggest that you 
subscribe to the security list and if there is any bug you think it could 
affect your firewall, then get the updated source and patch it yourself. 
Probably other folks here would not mind if you can then contribute those 
LRPs back to the list -:).



Or LEAF team can consider Richard's suggestion about the money contribution 
and think of some mechanism.



Otherwise, your office needs to go with some commercial products and pays 
big bucks for them.



BTW, I am just a user, not a developer, so I apologize for anything I say 
incorrect.


Cheers.




----- Original Message ----- 
From: "Troy Aden" <[EMAIL PROTECTED]>
To: "Richard Amerman" <[EMAIL PROTECTED]>; 
<[email protected]>

Sent: Wednesday, August 03, 2005 5:00 PM
Subject: RE: [leaf-user] Security and LEAF Bering UClibc



Wow I am sort of surprised that no one has responded to this thread. I guess 
my concerns must be trivial. I really did not want to switch away from this 
distro since it has worked so well for us for so many years but my case for 
keeping it seems to be getting weaker and weaker since I have nothing to say 
that it is truly "secure" since there does not seem to be any mechanisms for 
making sure that the packages I am using are always kept up to date with the 
latest security patches. I guess my wish list would be having "apt-get" 
functionality. But I guess that that would add allot of bulk to the current 
distro.


Troy


-----Original Message-----

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Amerman

Sent: Monday, August 01, 2005 3:36 PM
To: [email protected]
Subject: RE: [leaf-user] Security and LEAF Bering UClibc


I'm sure that this topic is not new but it is probably one that should be 
brought up regularly incase there are new options as to how to address the 
issue.



My company, and other companies I work with (and I'm very sure we are not 
alone in this) would find it extremely valuable if there was a 
system/process where all the core LRP's were monitored for security 
bulletins. When one of these bulletins were to be released it would trigger 
a process of updating the LRP ASAP and letting everyone on, what may be a 
new list, that the update was available, a LEAF errata per say.



I think that people, including us, would contribute $ to see this put 
together, while not making it any kind of premium service, but available to 
everyone. It could just be a voluntary donation thing, or/also involve one 
or more bounties. It would also be valuable if this task was taken on by 
something other than just an individual or group of individuals, but a 
business that has a large stake in things, or some organization with some 
structure. The idea on this is credibility and stability, not only in 
reality but from a perception standpoint.

(Translate, I have to show my boss something that he can put some faith in.)


What do you think? What kind of discussion has happened in the past on this 
topic? Or what am I missing that is already in place to take care of this? 
(and yes I will be searching the list archive to see what I can find, but we 
all know this is not as simple as it looks.)


Thanks!

Richard Amerman


-----Original Message-----
From: troy [mailto:[EMAIL PROTECTED]




How do you handle security patches for packages? For example,
if you were running a "full" Debian distro, a simple "apt-get
update" would insure that you pull down the latest security
patches... What is the approach to making sure UClibc is secure...?



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/






















					Reply via email to