Forwarded from: Russell Coker <russellat_private> On Tue, 1 Oct 2002 11:03, InfoSec News wrote: > Forwarded from: Kurt Seifried <listuserat_private> > The more security flaws you leave unsolved (even if they do not > "directly affect" your users) the more likely some combination of > bugs will occur that does allow an attacker in. This is a good point. I think that the best way to develop a distribution with advanced security is to build on top of one that's already got a good record. Debian has a good track record of responding in a timely fashion to security bugs. So for my SE Debian work all I have to do is get the SE Linux part going and I can rely on other people to deal with SSL stack overflows, zlib bugs, SUID programs that use predictable file names in /tmp, etc. I believe that anyone who is developing a secure distribution of Linux is best advised to make it a "bolt on" for a major distribution that has a good record in dealing with security patches, so that then all you have to work on is your "bolt on" part and not the entire system. By using this approach I have been able to develop a secure distribution on my own without much assistance. I believe that other people who have similar aims are spending much more effort on this because they are also working on the base OS. Russell Coker -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 03:43:33 PDT