SLUG Mailing List Archives - [SLUG] A comment on Linux Security Reviews

To: seifried@xxxxxxxxxxxxxxxxxx
Subject: [SLUG] A comment on Linux Security Reviews
From: Jeff Waugh <jdub@xxxxxxxxxxx>
Date: Wed Jul 26 17:06:21 2000
Cc: Sydney Linux Users Group <slug@xxxxxxxxxxx>
User-agent: Mutt/1.2i

Kurt,

Another member of SLUG (the Sydney Linux User Group), Ken Yap, lobbed in
another of his classic One Line Link grenades, pointing to your review of
various distribution's security:

> http://www.securityportal.com/cover/coverstory20000724.html


My response (or, meta-review):

Argh! Same-old same-old.

"We didn't do Debian because it's not new." (Translation: We didn't do
Debian because we didn't make the effort to understand how the system
works.)

Two examples of Debian installations:

  1) SLUG Server: Installed from three floppies a very minimal version of
  slink, which is the official 'stable' version. Put the machine on the
  network and within twenty minutes had potato installed, which is the
  official 'frozen' version. The machine is automatically updated to recent
  versions of the software in the potato archive.

  2) My Desktop: Installed potato from CD and within an hour  had woody
  installed, which is the official 'unstable' version. The machine is
  manually updated to recent versions of the software in the woody archive.

Two snags so far in woody: The php4-gd package (drawing functions etc) was
borked, so couldn't be installed with the newer php4, given the offer to
hold off upgrading all of the dependent packages. The openssl library has
been updated, but a lot of the software hasn't, if I were to install the
library, that software would have to be removed. Again, given the option to
hold the upgrade.


The beauty of Debian is that the idea of a distribution "version" goes out
the window. You progressively upgrade the important parts: The software. The
concept of a static, one-time software release for operating systems is old
hat, especially considering the complexity of modern systems and their mass
of inter-reliant software.


  Question: You like your software developed by many, modified by many,
  enhanced by many, and open to many, right? Why not choose a distribution
  that is built under the same scrutiny (the 'bazaar'), rather than
  entrusting this critical step in the formation of a stable operating
  system to cathedral-style methods? 


A thorough examination of the best method of:

 a) Building the foundations of a complex array of software, and,

 b) Distributing and updating that software

would have proven the authors credibility when reviewing security in the
Linux 'marketplace'. An article and review on security is not going to be of
interest to a desktop user (or, at least, shouldn't be necessary), and hence
the argument that updating Debian "is too hard" won't stick.


With apologies to 'Doc' at the end of Back to the Future,

  "Where we're going, we don't need versions."

- Jeff (Ranty-Pants) Waugh


-- jdub@xxxxxxxxxxx ----------------------- http://linux.org.au/installfest/
                                                       http://linux.conf.au/
   I am Jack's implicit trust of ActiveX & VBScript.     http://slug.org.au/

Follow-Ups:
- Re: [SLUG] A comment on Linux Security Reviews
  - From: Cantanker
- Re: [SLUG] A comment on Linux Security Reviews
  - From: Matthew Dalton

References:
- [SLUG] a security survey of Linux distros
  - From: Ken Yap

Messages sorted by: [ date | thread ]
Prev by Date: Re: [SLUG] How to annoy PINE users
Next by Date: Re: [SLUG] How to annoy PINE users
Previous by thread: [SLUG] a security survey of Linux distros
Next by thread: Re: [SLUG] A comment on Linux Security Reviews