From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2120-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1KVuBY-0003UB-5T
	for garchives@archives.gentoo.org; Wed, 20 Aug 2008 20:21:40 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0E14DE03F9;
	Wed, 20 Aug 2008 20:17:44 +0000 (UTC)
Received: from yx-out-1718.google.com (yx-out-1718.google.com [74.125.44.152])
	by pigeon.gentoo.org (Postfix) with ESMTP id 9D398E03F9
	for <gentoo-hardened@lists.gentoo.org>; Wed, 20 Aug 2008 20:17:43 +0000 (UTC)
Received: by yx-out-1718.google.com with SMTP id 4so255613yxp.46
        for <gentoo-hardened@lists.gentoo.org>; Wed, 20 Aug 2008 13:17:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=kAmz6v5g4l/+Ju94jcYOIKRPyAipe6x3u1SVFKziHAA=;
        b=IeN8ws+PP420aEGMxITuu3BQEt35xJxFtq9R9zlZIwDoe82RbT2/8szDqOlj71uYVl
         U4Ubd/hBY6sb+5N/aOZMC4cj/xzgo/kKBJOxNJyTHvEC3ijCUErrXL7HW4dDwbHWa7f3
         5N+HzDgcJ3aTViHcxAgzErjZPlRH39LMpEa0U=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=LRPlirrWZnx8T+4MlMzLEkD1QNuhSJEQvYfbGbpn0F90wlVlmgyirzs2/fXLdQwzhn
         1mSWoAnPfCRySkTdwdvBjav2AuZBCQAhyb9W1oJqnWmkpdTVHJsgZOCulGNkB5S5640A
         UCYvd+zi4UaGFP2pie0hCimGJHmj0iGqoYLYU=
Received: by 10.103.224.17 with SMTP id b17mr396408mur.16.1219263462061;
        Wed, 20 Aug 2008 13:17:42 -0700 (PDT)
Received: by 10.103.212.6 with HTTP; Wed, 20 Aug 2008 13:17:42 -0700 (PDT)
Message-ID: <897813410808201317s1850d9e3ne67f3399df7db1d@mail.gmail.com>
Date: Wed, 20 Aug 2008 22:17:42 +0200
From: "=?ISO-8859-1?Q?Javier_Mart=EDnez?=" <tazok.id0@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Updates: a way too simplified security question I am asking anyway
In-Reply-To: <200808202114.57420.janklodvan@gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <1217603370.1820.242.camel@liasis.inforead.com>
	 <200808201454.37350.janklodvan@gmail.com>
	 <1219247184.19388.58.camel@nc.nor.wtbts.org>
	 <200808202114.57420.janklodvan@gmail.com>
X-Archives-Salt: 21e8021b-7431-4e67-82a1-478357595219
X-Archives-Hash: eb8ee4300095f7226c5fad71bd3511d3

Well, first bugs are always there, maybe the unique difference between
this two OS is that OpenBSD have found more of them (maybe), this does
not means that OpenBSD is free of bugs, it stills having them be sure
of this, if this statement is not true why they are still making
auditories to their code if there are not bugs?.

This is not an ideal world, software is written by humans so since
humans are not perfect, software is not perfect too, bugs will exist
forever, the only thing developers can do is searching for them,
nothing more.

Do you want something to be safe?, first make your system a B1 one
(orange book), configure rsbac/Selinux to do so, configure PaX, make
an trusted path execution to avoid execution of untrusted software
(exploits) and then control the execution of perl an python (between
others) scripts (in the way of perl blablabla.pl, which does not need
execution rights). You under this two frameworks you can do it. Can
you do this under OpenBSD ;).

2008/8/20, Jan Klod <janklodvan@gmail.com>:
> Hello,
> some people in gentoo forum made me ask this one: it is supposed, that
> regular
> updates of system is a wise thing to do, but, excuse me, ... those bugs and
> holes are there before someone say "update them" -- so do you agree, nowdays
> Linux is never safe?
> OpenBSD has its own slogan about only very few remote holes in long time --
> so
> it makes an impression, I can install an OpenBSD machine and let it do it's
> job.
> Can anyone crash my impression about OpenBSD (and is it still alive enough,
> by
> the way?)?
> How about hardened gentoo in this regard (create system for few, specific
> purposes and leave it for years without damn update hustle)?
>
> I realize, this is "in general", but the question is about software writing
> style (think when write it or wait for someone to find what is wrong) and
> ways to protect from bugs (like overflows etc) in software.
>
> In ideal world, updates are necessary only to get software, that has new
> functions -- do we seam to approach it?
>
> Jan
>
>