From: "Javier Martínez" <tazok.id0@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Updates: a way too simplified security question I am asking anyway
Date: Wed, 20 Aug 2008 22:17:42 +0200 [thread overview]
Message-ID: <897813410808201317s1850d9e3ne67f3399df7db1d@mail.gmail.com> (raw)
In-Reply-To: <200808202114.57420.janklodvan@gmail.com>
Well, first bugs are always there, maybe the unique difference between
this two OS is that OpenBSD have found more of them (maybe), this does
not means that OpenBSD is free of bugs, it stills having them be sure
of this, if this statement is not true why they are still making
auditories to their code if there are not bugs?.
This is not an ideal world, software is written by humans so since
humans are not perfect, software is not perfect too, bugs will exist
forever, the only thing developers can do is searching for them,
nothing more.
Do you want something to be safe?, first make your system a B1 one
(orange book), configure rsbac/Selinux to do so, configure PaX, make
an trusted path execution to avoid execution of untrusted software
(exploits) and then control the execution of perl an python (between
others) scripts (in the way of perl blablabla.pl, which does not need
execution rights). You under this two frameworks you can do it. Can
you do this under OpenBSD ;).
2008/8/20, Jan Klod <janklodvan@gmail.com>:
> Hello,
> some people in gentoo forum made me ask this one: it is supposed, that
> regular
> updates of system is a wise thing to do, but, excuse me, ... those bugs and
> holes are there before someone say "update them" -- so do you agree, nowdays
> Linux is never safe?
> OpenBSD has its own slogan about only very few remote holes in long time --
> so
> it makes an impression, I can install an OpenBSD machine and let it do it's
> job.
> Can anyone crash my impression about OpenBSD (and is it still alive enough,
> by
> the way?)?
> How about hardened gentoo in this regard (create system for few, specific
> purposes and leave it for years without damn update hustle)?
>
> I realize, this is "in general", but the question is about software writing
> style (think when write it or wait for someone to find what is wrong) and
> ways to protect from bugs (like overflows etc) in software.
>
> In ideal world, updates are necessary only to get software, that has new
> functions -- do we seam to approach it?
>
> Jan
>
>
next prev parent reply other threads:[~2008-08-20 20:21 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-01 15:09 [Fwd: [gentoo-hardened] Tin Hat = hardened Gentoo distro in RAM] Ferris McCormick
2008-08-20 10:37 ` [gentoo-hardened] Tin Hat memory requirements? Jan Klod
2008-08-20 11:14 ` Natanael Copa
2008-08-20 11:54 ` Jan Klod
2008-08-20 15:46 ` Natanael Copa
2008-08-20 16:03 ` Jan Klod
2008-08-21 6:29 ` Natanael Copa
2008-08-20 18:14 ` [gentoo-hardened] Updates: a way too simplified security question I am asking anyway Jan Klod
2008-08-20 18:57 ` Arne Morten Johansen
2008-08-20 19:31 ` RB
2008-08-20 20:53 ` Jan Klod
2008-08-20 22:02 ` RB
2008-08-20 22:44 ` Javier Martínez
2008-08-20 20:17 ` Javier Martínez [this message]
2008-08-20 21:16 ` [gentoo-hardened] aa Daniel Svensson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=897813410808201317s1850d9e3ne67f3399df7db1d@mail.gmail.com \
--to=tazok.id0@gmail.com \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox