-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Troy Aden wrote:
| Wow I am sort of surprised that no one has responded to this thread. I guess my concerns must be trivial. I really did not want to switch away from this distro since it has worked so well for us for so many years but my case for keeping it seems to be getting weaker and weaker since I have nothing to say that it is truly "secure" since there does not seem to be any mechanisms for making sure that the packages I am using are always kept up to date with the latest security patches. I guess my wish list would be having "apt-get" functionality. But I guess that that would add allot of bulk to the current distro. <Whew!> Lots of interesting questions (see earlier posts for full details). First of all, your concerns are not trivial. Everyone is (or should be) concerned about network security in today's day and age. The main issues in the previous emails seem to boil down to: 1) How do I update LEAF (or "Where's the auto-update feature")? 2) Where's the emergency response team that makes new package available mere minutes after upstream releases are available? 3) Who do I call/blame when my router gets hacked? 4) Is any of this even necessary? OK, let's go through these a bit... First, LEAF is *NOT* a generic linux distribution, and can't really be compared to RedHat, Suse, Debian, etc. This is *VERY* important to remember. Due to it's focus on a small footprint and execution from RAM (no hard-disk or other permanent storage mounted at runtime), LEAF has a much different packaging philosophy from most other linux distributions. 1) How do I update LEAF (or "Where's the auto-update feature")? - ------------------------------------------------------------------ The short answer for "how do I update LEAF" is "it depends". For me, I just burn a new CD, pop it in the firewall and reboot (I load the core packages off CD-ROM and store configuration data on a floppy, so a new CD is typically all I need to upgrade). The procedure is different depending on how you're loading your packages, whether or not you're using partial backups, and other details. There's generally no one-step upgrade procedure for a variety of reasons, including but not limited to the following: - - LEAF files have historically been spread out around the 'net (or lately, around the LEAF site). Picking which file(s) you want to upgrade to isn't always an easy task with an obvious answer. - - Automatically downloading and trusting content from the internet is generally seen as a Bad Idea for a security appliance. - - Coding something that cryptographically signs and verifies packages would be difficult given the limited resources avaialble on a base LEAF system, and tricky to implement in practice given the fairly large number of LEAF developers. - - No one has written code to do package updates that's been folded into the mainline source. I believe apkg, and possibly some other alternate package managers for LEAF will support updates, but you have to download (or otherwise make available) the updated packages manually. 2) Where's the emergency response team that makes new package available mere minutes after upstream releases are available? - ------------------------------------------------------------------ As mentioned by others, most of the LEAF crew are individuals volunteering their time. It's also important to consider how urgently you really need updates (more on this below). 3) Who do I call/blame when my router gets hacked? - ------------------------------------------------------------------ Look in the mirror! Seriously, the mailing list is a good resource, but by using something like LEAF you're taking on a lot of responsability. LEAF is very configurable, and the power to make your network secure (or accessible to the world) is literally in your hands. Developers attempt to configure pacakges with reasonable defaults, but there's no way we can know in advance what you're planning on doing, so you generally need to crawl through the entire configuration to make sure you "know what you bought". That's actually one of the big benifits of something like LEAF. If you're familiar with linux already, you can peek under the hood, and in a couple of days have a pretty complete understanding of how LEAF is put together and where all the parts go. <HEY! I was talking about updated package binaries...what's all this about configuration?> More on the updated binaries next...in the meantime, you really should be more worried about your runtime configuation. Things like shorewall can make iptables easier to configure, but firewall rules are arcane and complex, and one mistake (even getting two correct rules out of order) can put your entire network at risk. 4) Is any of this even necessary? - ------------------------------------------------------------------ While it's generally good to run updated binaries with known exploits patched, you should go through some of the recent security notices for packages included in LEAF. Most common exploits involve local accounts and privlidge escalation. On a system like LEAF, you really shouldn't have local accounts (or at least none belonging to someone who you don't trust to fully administer the firewall), so these become moot. I think you'll find the LEAF developers respond pretty quickly to anything that presents a remote-level exploit potential, but these are (thankfully) pretty rare, especially since there's a limited amount of software installed on a typical LEAF system. - -- Charles Steinkuehler [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFC8VDuLywbqEHdNFwRAoQLAKCk/bSzCvY9c0SIKfG4JSw27telNgCgwHpR GNgU1Q9vQTIiTAQfZCIz/b8= =0ygw -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
