From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1KVuBY-0003UB-5T for garchives@archives.gentoo.org; Wed, 20 Aug 2008 20:21:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0E14DE03F9; Wed, 20 Aug 2008 20:17:44 +0000 (UTC) Received: from yx-out-1718.google.com (yx-out-1718.google.com [74.125.44.152]) by pigeon.gentoo.org (Postfix) with ESMTP id 9D398E03F9 for ; Wed, 20 Aug 2008 20:17:43 +0000 (UTC) Received: by yx-out-1718.google.com with SMTP id 4so255613yxp.46 for ; Wed, 20 Aug 2008 13:17:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=kAmz6v5g4l/+Ju94jcYOIKRPyAipe6x3u1SVFKziHAA=; b=IeN8ws+PP420aEGMxITuu3BQEt35xJxFtq9R9zlZIwDoe82RbT2/8szDqOlj71uYVl U4Ubd/hBY6sb+5N/aOZMC4cj/xzgo/kKBJOxNJyTHvEC3ijCUErrXL7HW4dDwbHWa7f3 5N+HzDgcJ3aTViHcxAgzErjZPlRH39LMpEa0U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=LRPlirrWZnx8T+4MlMzLEkD1QNuhSJEQvYfbGbpn0F90wlVlmgyirzs2/fXLdQwzhn 1mSWoAnPfCRySkTdwdvBjav2AuZBCQAhyb9W1oJqnWmkpdTVHJsgZOCulGNkB5S5640A UCYvd+zi4UaGFP2pie0hCimGJHmj0iGqoYLYU= Received: by 10.103.224.17 with SMTP id b17mr396408mur.16.1219263462061; Wed, 20 Aug 2008 13:17:42 -0700 (PDT) Received: by 10.103.212.6 with HTTP; Wed, 20 Aug 2008 13:17:42 -0700 (PDT) Message-ID: <897813410808201317s1850d9e3ne67f3399df7db1d@mail.gmail.com> Date: Wed, 20 Aug 2008 22:17:42 +0200 From: "=?ISO-8859-1?Q?Javier_Mart=EDnez?=" To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Updates: a way too simplified security question I am asking anyway In-Reply-To: <200808202114.57420.janklodvan@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1217603370.1820.242.camel@liasis.inforead.com> <200808201454.37350.janklodvan@gmail.com> <1219247184.19388.58.camel@nc.nor.wtbts.org> <200808202114.57420.janklodvan@gmail.com> X-Archives-Salt: 21e8021b-7431-4e67-82a1-478357595219 X-Archives-Hash: eb8ee4300095f7226c5fad71bd3511d3 Well, first bugs are always there, maybe the unique difference between this two OS is that OpenBSD have found more of them (maybe), this does not means that OpenBSD is free of bugs, it stills having them be sure of this, if this statement is not true why they are still making auditories to their code if there are not bugs?. This is not an ideal world, software is written by humans so since humans are not perfect, software is not perfect too, bugs will exist forever, the only thing developers can do is searching for them, nothing more. Do you want something to be safe?, first make your system a B1 one (orange book), configure rsbac/Selinux to do so, configure PaX, make an trusted path execution to avoid execution of untrusted software (exploits) and then control the execution of perl an python (between others) scripts (in the way of perl blablabla.pl, which does not need execution rights). You under this two frameworks you can do it. Can you do this under OpenBSD ;). 2008/8/20, Jan Klod : > Hello, > some people in gentoo forum made me ask this one: it is supposed, that > regular > updates of system is a wise thing to do, but, excuse me, ... those bugs and > holes are there before someone say "update them" -- so do you agree, nowdays > Linux is never safe? > OpenBSD has its own slogan about only very few remote holes in long time -- > so > it makes an impression, I can install an OpenBSD machine and let it do it's > job. > Can anyone crash my impression about OpenBSD (and is it still alive enough, > by > the way?)? > How about hardened gentoo in this regard (create system for few, specific > purposes and leave it for years without damn update hustle)? > > I realize, this is "in general", but the question is about software writing > style (think when write it or wait for someone to find what is wrong) and > ways to protect from bugs (like overflows etc) in software. > > In ideal world, updates are necessary only to get software, that has new > functions -- do we seam to approach it? > > Jan > >