[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ann: common secure linux mailing list

To: Rik van Riel <riel@nl.linux.org>
Subject: Re: Ann: common secure linux mailing list
From: Crispin Cowan <crispin@cse.ogi.edu>
Date: Sun, 06 Jun 1999 16:32:19 -0700
CC: Chris Evans <chris@ferret.lmh.ox.ac.uk>, securelinux@reseau.nl, bastille-linux@bastille-linux.org, kha0s-dev@kha0s.org, securedistros@nl.linux.org, security-audit@ferret.lmh.ox.ac.uk
Organization: Oregon Graduate Institute
References: <Pine.LNX.4.03.9906062012100.534-100000@mirkwood.nl.linux.org>
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@humbolt.nl.linux.org

Rik van Riel wrote:

> On Sun, 6 Jun 1999, Chris Evans wrote:
> > On Sun, 6 Jun 1999, Rik van Riel wrote:
> >
> > > The main things we'll discuss on the list will be things
> > > like bug fixes, code fixups and generic security ideas that
> > > are usable in all secure Linux distributions.
> >
> > Unless I'm mistaken, that's what goes on here. Surely list
> > fragmentation is a bad idea?

I don't see it as fragmentation.  I see it as an attempt to unify an
arena that is already badly fragmented.  There are lots of groups
working to enhance Linux security in one form or another, and yet none
of them have anywhere near the critical mass of OpenBSD, which itself is
a pretty small-time operation.  If securedistros@nl.linux.org can
achieve effective sharing of results, then that in itself is a very
large contribution.

> The security-audit list is for the improvement of programs.
> The list I set up was meant as a list for the general
> improvement of packages, the configuration of packages and
> choosing which package to use for such a distribution.
>
> Unfortunately, I seem to have had a slight brain fart
> when doing the above announcement -- the overlap with
> security-audit wasn't planned :(

The difference I perceive between securedistros and security-audit is
that security-audit has focussed on fixing programs and packages, but
has been ineffective in coming up with a complete distro of secured
packages.  The auditing has been ad hoc.

Security-audit would be a much more valuable resource if there was a
well-organized web site of:

   * comprehensive list of packages needing auditing
   * comprehensive list of audited packages, including
        o who audited it (a list of people)
        o what problems they found
        o fixed versions
        o information about whether the patches have been adopted by the
          package maintainer
   * bonus:  an actual distro of all-audited packages

Ideas like this have been discussed on security-audit before, but no one
ever took the inititive to actually do it.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

              Microsoft:  Putting the "lame" in "layman"

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

Follow-Ups:
- Re: Ann: common secure linux mailing list
  - From: Emmanuel Galanos <egalanos@cse.unsw.edu.au>

References:
- Re: Ann: common secure linux mailing list
  - From: Rik van Riel <riel@nl.linux.org>

Prev by Date: Re: wish list
Next by Date: Re: Ann: common secure linux mailing list
Prev by thread: Re: Ann: common secure linux mailing list
Next by thread: Re: Ann: common secure linux mailing list
Index(es):
- Date
- Thread