|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: InfoSec News (isn_at_c4i.org)
Date: Wed Oct 02 2002 - 03:38:48 CDT
Forwarded from: Russell Coker <russell
coker.com.au>
On Tue, 1 Oct 2002 11:03, InfoSec News wrote:
> Forwarded from: Kurt Seifried <listuserseifried.org>
> The more security flaws you leave unsolved (even if they do not
> "directly affect" your users) the more likely some combination of
> bugs will occur that does allow an attacker in.
This is a good point. I think that the best way to develop a
distribution with advanced security is to build on top of one that's
already got a good record.
Debian has a good track record of responding in a timely fashion to
security bugs. So for my SE Debian work all I have to do is get the
SE Linux part going and I can rely on other people to deal with SSL
stack overflows, zlib bugs, SUID programs that use predictable file
names in /tmp, etc.
I believe that anyone who is developing a secure distribution of Linux
is best advised to make it a "bolt on" for a major distribution that
has a good record in dealing with security patches, so that then all
you have to work on is your "bolt on" part and not the entire system.
By using this approach I have been able to develop a secure
distribution on my own without much assistance. I believe that other
people who have similar aims are spending much more effort on this
because they are also working on the base OS.
Russell Coker
-- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page- ISN is currently hosted by Attrition.org
To unsubscribe email majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]