Re: goals for hardening Debian: ideas and help wanted

2014-06-06 Thread Tom Dial 
I suggest resumption of maintenance for OVAL to support OpenSCAP.
www.debian.org/security/oval/ seems not to have been maintained since
some time in late 2010 or early 2011.

Tom Dial



On 04/23/2014 08:57 PM, Paul Wise wrote:
> Hi all,
> 
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the Debian project and computer systems of the Debian
> project, contributors and users.
> 
> https://wiki.debian.org/Hardening/Goals
> 
> If you have more ideas, please add them to the wiki page.
> 
> If you have more information, please add it to the wiki page.
> 
> If you would like to help, please choose an item and start work.
> 


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53928208.7070...@comcast.net

Re: goals for hardening Debian: ideas and help wanted

2014-06-06 Thread intrigeri 
Hi,

Giacomo Mulas wrote (24 Apr 2014 16:49:20 GMT) :
> Good to know, actually I had tried apparmor quite some time ago and did not
> try again. I will give it another spin as soon as I can.

https://wiki.debian.org/AppArmor/HowTo :)

> However, I do not agree that I should file bugs against apparmor if a debian
> package does not work properly, it should go to the package manager (and
> maybe cc to some apparmor expert team). It cannot be the maintainer(s) of
> apparmor to have to shoulder the effort of creating and maintaining profiles
> for all debian packages.  They may be called in for support, but regular
> package maintainers should be involved IMHO, otherwise it will never really
> take off and provide significantly better security.

IMO, the bug should be filed against the package that ships the
profile: it's not a bug in the apparmor package, that other packages
may feed it with a buggy configuration.

Now, most package maintainers currently don't use AppArmor, and they
may upload AppArmor profiles (e.g. provided by upstream) that won't
work as-is in Debian. We have no clear consensus that we should invest
time, distro-wide, to support AppArmor in Debian, so I don't think we
can blame anyone for this. At least they're giving a chance, for
anyone interested, to actually test these profiles, enjoy it when it
works, and report bugs otherwise.

If the profile is shipped in the same package as the software (as
opposed to what comes from apparmor-profiles), and if the maintainer
lack the resources and/or the interest to take care of such bugs, then
they still have two useful options:

 * ask the AppArmor profiles team (Cc'd) for help to fix the profile,
   in order to go on shipping it along with the software it's about;
   that would be my preferred solution, whenever applicable;

 * drop the profile from their package altogether, and ask
   pkg-aa-profiles for inclusion in the upcoming
   apparmor-profiles-extra package.

I still hadn't time to properly announce the pkg-aa-profiles team, so
no wonder it hasn't taken off yet. Help is welcome:

   https://wiki.debian.org/AppArmor/Contribute

If interested in more background information:
https://lists.debian.org/debian-security/2014/01/msg8.html

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/85r431h513@boum.org

Re: [SECURITY] [DSA 2939-1] chromium-browser security update

2014-06-06 Thread Andrew McGlashan 
On 1/06/2014 5:13 AM, Andrew McGlashan wrote:
> The OCSP server not found issue is rare, in the past the /main/ CA's got
> together to discuss the OCSP issue and they create CDN's to deal with
> issues like not being able to connect the OCSP server.  The page that
> was linked from /google's/ pov  ... was quite old btw.

Of the sites that have trouble with OCSP, the most significant ones for
me have been Google search and Youtube  when Google Search fails, I
just use another search engine.

Cheers
A.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53921104.9000...@affinityvision.com.au