On 17.05.2014 21:33, Gunnar Wolf wrote: > Joel Rees dijo [Sat, May 17, 2014 at 10:06:41PM +0900]: >>> The problem is, that Debian lacks a page similar to: >>> https://wiki.ubuntu.com/Security/Features >> Is that page really useful? I mean, besides as a sort of sales brochure? > Agree with this. It would be nice to have such a page, but having it > means we'd have to remember to keep it up to date. And it provides > little value but (precisely) being a sales brochure. So... :) > >> I did note that the debian pages on security are a bit dated. >> >> I suppose I should lend a hand there if I can find the time. How about >> you, do you have the time? You don't have to start out understanding >> the whole list, you just have to be willing to look up the debian >> packages, learn how their setup works, and write down what you >> learned, discuss it on the appropriate lists, then write up some >> summaries and submit them. If you do good work, you'll be invited to >> assume responsibility for some of the wiki pages. > Right. And if the pages are generally seen as meaningful and well > done, they might later become part of the "official" non-wiki > webpage. > >>>> This will be an issue with any OS you >>>> choose, even seriously secure OSses like openBSD. >>> Is OpenBSD a seriously secure OS? >> I suppose it's easier to get into an openbsd server than it is to fly >> to the moon, but if you set up an openbsd server and keep it updated, >> attackers will generally find it easier to try social engineering >> instead of attacking the server directly. >> >> Modulo the services you run, but that's true of any OS. If you are >> running a hypertext protocol server and it has a hole, you have a hole >> in your server. > That last paragraph is, I found, the most important. Very few people > run OpenBSD in its default install (other than for firewalls or > similar stuff). Once you set up a webserver with dynamically generated > content, a DBMS, and similar stuff... Well, you will find the "ports" > (their term for our "packages") are not supported, and staying up to > date is not as trivial as with Debian. > > OpenBSD is a *great* project and has contributed with many very > important techniques. They have audited and improved many important > packages (and the work they are currently doing with Open^WLibreSSL is > just one such example). I would never say their work is not worth > following. But as a sysadmin, many years ago I found Debian to be much > preferrable — Because it cares about the overall security of a very > large, very complex and wide-reaching set of programs, not just a core > operating system around which to build whatever is needed. > >>> Last time I checked, OpenBSD didn't provide signed packages for the >>> package manager by default. Using OpenBSD signed packages for updating >>> only seemed ridiculously complicated. >> Basically, you're supposed to buy the CDs from the project. CDs are a >> bit harder to spoof than dns, and they come out every six months. > The CDs are a way to support (read: fund) the project. To keep your > install up-to-date, you must download (unsigned!) patches from > Internet, apply them to the tree and rebuild the needed parts of the > OS. You are supposed to read the patches to understand what you are > doing, although I'm certain many people don't — That's why I wrote an > auto-patcher back in 2003 (http://gwolf.org/soft/tepatche/ — It's > amazing how bitrot affects even my webpages :-| )... But yes, nowadays > I'd be much more uneasy with fetching code from a given FTP server and > pushing it automatically into my systems. > > Hi, there I am a happy Debian and Arch user and have seen some FUD flying by recently about OpenBSD, so I thought I might as well correct it:
OpenBSD 5.5 <= The newest Release on may 1, 2014 They have added signify: Releases and packages are now cryptographically signed with the signify(1) <http://www.openbsd.org/cgi-bin/man.cgi?query=signify&sektion=1> utility. * The installer will verify all sets before installing. * Installing without verification works, but is discouraged. * Users are advised to verify the installer (bsd.rd, install55.iso, etc.) ahead of time using the signify(1) <http://www.openbsd.org/cgi-bin/man.cgi?query=signify&sektion=1#end> tool if available. * pkg_add(1) <http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_add&sektion=1> now only trusts signed packages by default. So finally OpenBSD also got signed packages. Bets regards, stoffl -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5378540d.2010...@yahoo.de