Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
You Wrote: Oh, I read that quotation when it was published. It is a simple statistics-based interpretation, and not something fair to base judgement on. These 8 vulnerabilities were not Mandrake's (but shared for all the Linuxes), and most of them are not dangerous for people with the "paranoid" configuration mode. In this spesific case the statistics don't lie. For instance - the userhelper problem (basically - userhelper didn't check that pam modules are from inside /etc/pam.d , which gave a very easy local root exploit) was discovered a while after mandrake 6.1 was out, but was not officially fixed until after a couple of monthes mandrake 7.0 was out. IIRC a corrected package was availble at mandrake-cooker, but anyway - it was never anounced. snip Here is what Kurt Seifried had to say this week: qoute Wow! I seem to have made some people at Mandrake software a little unhappy with last week's comments (ya think!) Let me just say that I have nothing against the Linux Mandrake distribution itself -- I think it's ok. What I have a problem with is the way Mandrake Software (the company) handles updates, security announcements and a few other odds and ends. It isn't enough to build a finely engineered software product. You also have to issue updates and in the case of an OS it is critical that customers are told about security updates and made to understand that if they do not update, bad things[tm] will happen. I feel that the updates issued by a vendor are an integral part of the OS, not some nice altruistic service they might be willing to provide customers. This is why I gave the Linux Mandrake distribution a "failing" grade. My main two issues with Mandrake are the lack of a central, Mandrake run ftp server (i.e something like updates.redhat.com). Instead, they rely on third party mirrors that may or may not be working properly (and over which they have no control). The other main issue I have is with the poor quality of their security announcements. Users need to be explicitly told where to find updates and how to implement them. Now Mandrake has largely fixed this issue, with two new advisories on Sunday (for DHCP and WuFTPD). They tell you where to find them, and how to update them. This makes me happy. Congratulations to Mandrake! /qoute The qoute was taken from http://securityportal.com/topnews/weekly/linux2703.html Yosi Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
You Wrote: Last thing: There is an Axiom that RH is better for servers while Mandrake is better for clients. But from my humble opinion, I see the opposite, at least with the latest versions (MD7.1 vs. RH6.2): Mandrake supports features which are important for servers (e.g. ReiserFS, Paranoid security, etc.), while RH looks better for clients (e.g. easier installation, office apps, etc.). Am I wrong? Please don't start religious wars; I am not looking for religious wars either. But, imho, RH security is better than Mandrake's. Their latest installation (6.2) doesn't install so much stuff as the previous versions, and most importantly they issue security patches much faster than Mandrake. Kurt Seifried from SecurityPortal.com wrote qoute "Mandrake also wins (hands down) the "easiest distribution to break into remotely" and "easiest distribution to break into locally", having finally released 8 fixes for very severe security bugs in 7.1 (their latest, not so greatest distribution). They still haven't got a central site for updates either, good luck finding them. /qoute The qoute can be found here: http://www.securityportal.com/topnews/weekly/linux2626.html Regarding the "Paranoid Security" you mentioned, it can be reached on RH as well with products such as Bastille, that was designed to run on virgin installation (http://www.bastille-linux.org/) in the first place. Just my $0.02, so don't shoot if you disagree :) Yosi Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
Thank you all, Yosi, Tzafrir, Oleg, Ira, Chen, and Izar.
To say that now I'm less confused than before, will not be correct,
but I'll try to use your generous responses to make decisions.
Anyway, some notes:
"Mandrake also wins (hands down) the "easiest distribution to break
into remotely" and "easiest distribution to break into locally",
having finally released 8 fixes for very severe security bugs in 7.1
Oh, I read that quotation when it was published. It is a simple
statistics-based interpretation, and not something fair to base
judgement on. These 8 vulnerabilities were not Mandrake's (but
shared for all the Linuxes), and most of them are not dangerous for
people with the "paranoid" configuration mode. In any case, being
paranoid and publishing as many security patches as you can,
doesn't make you a worse distro; I'm afraid that the vendors will
be afraid to publish security patches because of a possible bad
impression...
Regarding the "Paranoid Security" you mentioned, it can be reached
on RH as well with products such as Bastille, that was designed to run
I wish I could use a distro ready with special security patches
(maybe KRUD?). However, Bastille is not relevant:
1. There is no Bastille for 6.2, but only for 6.0/6.1.
2. Bastille doesn't support the openwall patch, but a competing
one. while some people feel more comfortable with that one, most
of the people who want a kernel supporting secure-stacks,
including me, prefer the openwall solution (please no religious
wars...). IIRC, Mandrake uses the openwall solution.
In addition, it is not easy to patch existing kernels with the
secure-linux patches, because usually these kernels (especially RH
and Mandrake) already contain many other patches, and are already
different from the original Linus kernel. It is always better to
get the kernel ready from the vendor, with all the patches already
built-in, and the conflicts already resolved.
Regarding GNOME vs. KDE: I didn't ask which is better; It's a
religious question, and involves personal taste, etc. I only asked
if one of them is more suitable to RH while another one is more
suitable to Mandrake. And I specified this question to 6.2 and 7.1.
Contrary to the past, when everybody knew that RH supports GNOME
better than any other distro, and that Mandrake main advantage is
its KDE support, some people claim that it is different with the
latest versions (6.2 and 7.1); What is your opinion?
In addition, there is a very specific question about the Hebrew
support of Mandrake; Does it work with both - GNOME and KDE?
Tzafrir gave a quite good answer, but if anybody has anything to
add, I'll be happy to read.
Mandrake position themselves as "more cutting edge" they don't wait for a
piece of software to be true, tried and tested before including it in a
distro, therefore it is possible to install a Mandrake that is less stable
than what you'd like your server to be.
It may look paradoxally, but keeping yourself with the "latest and
greatest" versions, makes your distro safer against crackers, so -
better as a server. Yes, sometimes it may be less stable ("new
version, new bugs"...); But from my experience, all of the security
holes are finally found and fixed, and most of the "successful"
cracks were done when the OS was too old, or when the administrator
forgot to install patches. So if you start with the latest version,
you have more chances to have less vulnerabilities in your OS. In
any case, it doesn't save you from the need to install patches as
soon as they are available, and the delay of Mandrake in providing
the wu-ftpd patch looked very bad.
The shortest but most practical response I received, was from Izar:
I used ReiserFS off a Mandrake box over
NFS. It didn't work well, but it worked.
It was also a frightening response. "Imalle...". And I'm confused;
What should I do? If it doesn't support NFS, then it's useless. Not
only for my needs, but for 90% of the people. And what is the
solution, to use ext2 ??? A stupid hardware error (or unexpected
UPS failure) may end up with the loss of all your data (well, a
very small chance of 0.01%. But it is possible...), while the
chance for such a damage with ReiserFS is much lower.
I think I'll adopt Ira's suggestion, and try it. If anybody else
has any RELEVANT experience, please report! ("relevant" means not
any experience with ReiserFS, and even not a more specific
experience with ReiserFS over NFS, but the very specific case of
Mandrake's ReiserFS over NFS).
Thanks all of you again,
--
Eli Marmor
=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
On Mon, 3 Jul 2000, Eli Marmor wrote: In addition, it is not easy to patch existing kernels with the secure-linux patches, because usually these kernels (especially RH and Mandrake) already contain many other patches, and are already I never recompile their sources anyway, I DL and compile my own. Regarding GNOME vs. KDE: I didn't ask which is better; It's a religious question, and involves personal taste, etc. I only asked if one of them is more suitable to RH while another one is more define "suitable" then? they are not different operating systems, just slightly different RPMs, collections of utilities, and default desktop configuration. oh, and Mandrake finally followed SuSE and Debian with a mechanism to let any RPM remove or add itself to all the menues (and not have a GNOME menu in KDE and vice versa either). I'm not sure RH got there yet (the guys at Aduva may be more up to date) What should I do? If it doesn't support NFS, then it's useless. Not only for my needs, but for 90% of the people. And what is the I have two machines at home but I don't use NFS. the NFS itself is buggy, why trust it over a beta FS when I don't trust it over a stable one? chance for such a damage with ReiserFS is much lower. you don't know that, the failure statistics are not there yet. I think I'll adopt Ira's suggestion, and try it. I wish I had the time myself. I'm sure there's no problem with two machines (server and mounter), the problems begin with 4 mounting clients and up accessing the same files, I don't have the resources to build and test such a network. -- Ira Abramov, GNU/Linux advocate. (@- "message passing as the fundamental operation of the OS is //\ just an excercise in computer science masturbation. It may v_/_ feel good, but you don't actually get anything DONE." -- Linus on Microkernels. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
You wrote: Thank you all, Yosi, Tzafrir, Oleg, Ira, Chen, and Izar. You're welcome. I wish I could use a distro ready with special security patches (maybe KRUD?). Ohhh, but you can. I did not include this in my previous reply because I thought it is irrelevant to your question. There is actually a distribution that comes ready with special security patches called Immunix (http://www.immunix.org/). ImmunixOS is based on RedHat's latest distribution. ImmunixOS is made of RedHat's rpms compiled with Immunix's StackGuard utility that is supposed to add an additional layer of protection against buffer overflows and the like. In the future, Immunix promise to add support in the form of SubDomain and CryptoMark (a TripWire clone?). I don't have any experience with this distribution, but I will be more than interested to hear anyone who does. However, Bastille is not relevant: 1. There is no Bastille for 6.2, but only for 6.0/6.1. Yes, you are right. Bastille only comes for RedHat 6.0 and 6.1 Too bad the Bastille developers cannot issue their version closer to the date the new RedHat distribution is out. In addition, it is not easy to patch existing kernels with the secure-linux patches, because usually these kernels (especially RH and Mandrake) already contain many other patches, and are already different from the original Linus kernel. It is always better to get the kernel ready from the vendor, with all the patches already built-in, and the conflicts already resolved. Yet another reason to have a look at Immunix. Yosi Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
[Izar: Note the question at the bottom of the message] Regarding GNOME vs. KDE: I didn't ask which is better; It's a religious question, and involves personal taste, etc. I only asked if one of them is more suitable to RH while another one is more define "suitable" then? they are not different operating systems, just slightly different RPMs, collections of utilities, and default desktop configuration. I meant "integration". In the previous versions, GNOME was known to be best integrated into RH, and among the RH-based distros, KDE was known to be best integrated into Mandrake. So my question is if it is still true with RH6.2 and Mandrake7.1 (I heard that it is not true anymore). In addition, there are specific customization of the various distros. For example, what I mentioned about Hebrew. I asked if the Hebrew that Mandrake added, translate both KDE and GNOME. By the way: With 7.1, Mandrake is no more a RH derivative. What should I do? If it doesn't support NFS, then it's useless. Not only for my needs, but for 90% of the people. And what is the I have two machines at home but I don't use NFS. the NFS itself is buggy, why trust it over a beta FS when I don't trust it over a stable one? All of the world use NFS for MANY years. I can't just ignore all of them. Especially with the too many types of UNIX that I have; The only way to connect all of them to the same file system, is by using NFS. And besides, I'm quite satisfied with NFS (as other millions of users), and trust it even for backups. I'm sure there's no problem with two machines (server and mounter), the problems begin with 4 mounting clients and up accessing the same files, I don't have the resources to build and test such a network. I'm not going to use so many clients simultaneously, so I guess that there is no problem for me. Izar: Did you experience the problems that you mentioned only with high number of simultaneous clients, or also with 1-3 clients? -- Eli Marmor = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
On Mon, 3 Jul 2000, Eli Marmor wrote:
Thank you all, Yosi, Tzafrir, Oleg, Ira, Chen, and Izar.
To say that now I'm less confused than before, will not be correct,
but I'll try to use your generous responses to make decisions.
Anyway, some notes:
"Mandrake also wins (hands down) the "easiest distribution to break
into remotely" and "easiest distribution to break into locally",
having finally released 8 fixes for very severe security bugs in 7.1
Oh, I read that quotation when it was published. It is a simple
statistics-based interpretation, and not something fair to base
judgement on. These 8 vulnerabilities were not Mandrake's (but
shared for all the Linuxes), and most of them are not dangerous for
people with the "paranoid" configuration mode.
In this spesific case the statistics don't lie.
For instance - the userhelper problem (basically - userhelper didn't check
that pam modules are from inside /etc/pam.d , which gave a very easy local
root exploit) was discovered a while after mandrake 6.1 was out, but was
not officially fixed until after a couple of monthes mandrake 7.0 was out.
IIRC a corrected package was availble at mandrake-cooker, but anyway - it
was never anounced.
Another example - the one I mentioned in an earlier post about wu-ftpd .
The fix was availble at cooker since 26.6, but was only announced as an
official fix on 2.7 . And this is a searious remote root exploit.
Anyway - IIRC with all the recent security updates redhat responded much
faster.
In addition, it is not easy to patch existing kernels with the
secure-linux patches, because usually these kernels (especially RH
and Mandrake) already contain many other patches, and are already
different from the original Linus kernel. It is always better to
get the kernel ready from the vendor, with all the patches already
built-in, and the conflicts already resolved.
BTW: it is not that difficult to add oyur own patches to an existing
kernel configuration from an rpm:
Basically - download and install the source rpm of kernel
(kernel-*.src.rpm , not kernel-sources-*.noarch.rpm). Now edit
RPM/SPECS/kernel.spec :
add your own patches, or remove existing patches (edit the %prepare
section. Add additional %patch 'es if you want to add patches) and then
issue:
rpm -bp RPM/SPECS/kernel.spec
and there you have a patched kernel source tree.
Or - in case you didn't get it right - re-edit kernel.spec and rerun rpm
-bp
(note that I have never tried to do that)
Mandrake position themselves as "more cutting edge" they don't wait for a
piece of software to be true, tried and tested before including it in a
distro, therefore it is possible to install a Mandrake that is less stable
than what you'd like your server to be.
It may look paradoxally, but keeping yourself with the "latest and
greatest" versions, makes your distro safer against crackers, so -
better as a server. Yes, sometimes it may be less stable ("new
version, new bugs"...); But from my experience, all of the security
holes are finally found and fixed, and most of the "successful"
cracks were done when the OS was too old, or when the administrator
forgot to install patches.
This is why any good distro should make it easy to get all of its recent
security updates. I believe both Mandrake and RedHat's recent versions
include simple utilities to automate this (although MandrakeUpdate is
focused on a local X user).
And anyway:
wget -r ftp://distro.mirror/updates_dir
rpm -Fv *.rpm
should suffice on most cases (although it would be safer to check md5sums
before installing)
So if you start with the latest version,
you have more chances to have less vulnerabilities in your OS. In
any case, it doesn't save you from the need to install patches as
soon as they are available, and the delay of Mandrake in providing
the wu-ftpd patch looked very bad.
--
Tzafrir Cohen
mailto:[EMAIL PROTECTED]
http://www.technion.ac.il/~tzafrir
=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
On Sun, 2 Jul 2000, Eli Marmor wrote: Does the ResierFS version, *which is built in Mandrake-7.1*, support NFS and can be exported to other machines on the LAN? as before, no one here has really tested for sure, you are welcome to tell us how it works for you or join their devel list and see for yourself. I'm right now in exams so I don't have time for too many lists, I'll be able to make time for it only in 2 weeks. RH6.2). What do you recommend to use with 7.1, GNOME or KDE?And if this is a religious war troll, the answer is try each for a day and decide. you just login from GDM/KDM to the one you want. none of the other opinions you will get here will be objective, or even relevant to what YOU need. Last thing: There is an Axiom that RH is better for servers while Mandrake is better for clients. But from my humble opinion, I see bzzzt. there are only minute (small) differences between Mandrake and RedHat, the main one is the compiler pentium optimizations on Mandrake. other than that there is nothing that makes them more suitable for either client or server. the installation is also as friendly. based on MAINLY that feature, I install ALL my clients AND servers on mandrake, and never install RedHat (I haven't installed one in almost 2 years!) -- Ira Abramov, GNU/Linux advocate. (@- "message passing as the fundamental operation of the OS is //\ just an excercise in computer science masturbation. It may v_/_ feel good, but you don't actually get an ything DONE." -- Linus on Microkernels. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
On Sun, 2 Jul 2000, Eli Marmor wrote: And in the same issue: In the past, Mandrake developed and invested in the KDE integration more thanin GNOME, while RedHat did the opposite. I heard that it is not true anymore (with Mandrake7.1 and RH6.2). What do you recommend to use with 7.1, GNOME or KDE? And if I want the built-in "Hebrew" option of Mandrake7.1 to be active, which of them (GNOME/KDE) is recommended? Is it supported by both (GNOME and KDE) under Mandrake 7.1, or only under one of them? Which one? KDE has "hebrew support" (partially translated menu and a proper hebrew keymap in kikbd) at least since kde 1.1. And to suiplement that you have http://kde.org/il (BTW: http://kde.org/il/hebrew is not exactly accurate). The bit about translation is relativly easy to do, only noone bothered to do it for gnome. As for keyboard layout - the gnome distro includes a bogus hebrew keymap (/usr/share/xmodmap/xmodmap.il) . Mandrake 7.1 (when you install with the Hebrew option) gets you a proper console keymap [BTW: maybe RH 6.2 and other recent distros also has a correct one. Can anybody check?], a proepr xkb keymap (alsmot. See: http://www.iglu.org.il/faq/cache/87.html ) which means that you get hebrew keys when left-alt is pressed. (they also include a corrected xmodmap.il file. [BTW: was it fixed in any gnome distro, or with any other ditro?]) Another small point is that Mandrake comes with a little bit of hebrew related software (not much, but it selected automatically when select "Hebrew" installation). Most notably - fribidi 0.1.9, which includes a very useful command-line filter (to read a hebrew mail message - pipe it through 'fribidi -charset 8859-8' or through 'fribidi -charset 8859-8 -rtl') BTW: Both come with vim that has hebrew support compiled in (although Mandrake has a small /usr/doc/vim-common-*/vimrc_hebrew which might be useful here). IMHO vim is currently the best editor for editing hebrew texts (I don't intend to start a war here. I mean to say that vim is the best of a relatively small group of editors with somewhat decent hebrew support). It is also worth noting that Mandrake makes it relativly easy to switch to another desktop environment (kde, gnome, wmaker, enlightenment, blackbox, blckbox/kde, wmaker/kde, ice, ice/gnome, etc.). Those look well-packaged. I haven't tried RH's desktops, though. Last thing: There is an Axiom that RH is better for servers while Mandrake is better for clients. But from my humble opinion,I see the opposite, at least with the latest versions (MD7.1 vs. RH6.2): Mandrake supports features which are important for servers (e.g. ReiserFS, Paranoid security, etc.), while RH looks better for clients (e.g. easier installation, office apps, etc.). Am I wrong? Another point here: Have you noticed how long it took to Mandrake to issue a fix to the recent wu-ftpd problem? Their fix package was created on 26.6, but was only announced an hour ago (see the changelog of: http://rufus.w3.org/linux/RPM/mandrakecooker/cooker/Mandrake/RPMS/wu-ftpd-2.6.0-7mdk.i586.html RedHat usually respond faster than Mandrake to these kind of issues. Please don't start religious wars; I didn't ask questions like: "What is better, GNOME or KDE"; Even a KDE fan may admit that in some situations GNOME is preferred, and even a GNOME fan may admit the opposite. Somebody who prefer, for example, RH over Mandrake in any case, may admit that the superiority of RH is smaller in clients (and bigger in servers), and so on. I'm only trying to find the ideal situation for each distribution, and the ideal distribution for each desktop environment. Thanks in advance, -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: ReiserFS for NFS, Mandrake7.1, RH6.2, etc.
Eli Marmor [EMAIL PROTECTED] writes: which of them (GNOME/KDE) is recommended? For me, mostly an issue of look and feel. Last thing: There is an Axiom that RH is better for servers while Mandrake is better for clients. But from my humble opinion, I see the opposite, at least with the latest versions (MD7.1 vs. RH6.2): Mandrake supports features which are important for servers (e.g. ReiserFS, Paranoid security, etc.), while RH looks better for clients (e.g. easier installation, office apps, etc.). Am I wrong? Red Hat is clearly mass-market oriented. However, they probably figure they'll sell more to companies and geeks who are likely to put many workstations on a LAN. So I think that historically the default Red Hat configuration was geared towards a networked workstation rather than a standalone home desktop. I don't know where the "server axiom" comes from, though. I have too little experience with Mandrake to say anything. -- Oleg Goldshmidt [EMAIL PROTECTED] "... We work but wit, and not by witchcraft; And wit depends on dilatory time." [Shakespeare] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
