Re: Why is Debian not secure by default?

On Sun, 23 Jan 2011 09:04:32 +0100
Sven Joachim <svenjoac@xxxxxx> wrote:

On 2011-01-23 07:29 +0100, Rico Secada wrote:

After having brushed up on some technical aspects of security I would
like to understand why Debian isn't secure be default.

As we all know a lot of security breaches occur because of overflow
errors. Difference protective measurements has been developed for
example such as "executable space protection".

As seen in this list of comparison both Fedora and SUSE are running
with some method of protection enabled by default whereas Debian isn't.

http://en.wikipedia.org/wiki/Comparison_of_Linux_distributions#Security_features

Another example is "stack checking" in GCC where for example OpenBSD
ships with this setting as "enabled-by-default" whereas it is
"off-by-default" on Debian.

I would like to understand why Debian is running with this policy of
"security is off by default"?

Basically because the developers cannot agree where the hardened
compiler options should be implemented. You can get more information by
reading http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688.

Sven


This was detailed in a release from the security team today:

* Hardening compiler flags

Debian is currently one of the few distributions that doesn't enable hardening
options in the compiler that protect packages against certain types of
vulnerability. There has been work on this for a longer time but it didn't
yet come to fruition. A Birds of a Feather-session will be organised at the
upcoming Debian Conference to get all involved people together and implement
this.

So, in short, it's happening. Just slowly.

--
rbmj


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: 20110124034306.50c970b7@blair-laptop">http://lists.debian.org/20110124034306.50c970b7@blair-laptop

Relevant Pages

  • RE: Scary article in Wall Street Journal today
    ... Debian systems unless the user logs in as root to allow installation? ... I'm the OP on this thread, so by no means an authority of Debian ... I'm aware of various security measures that *are* realistic defense ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Reasons for rights policies, political or technical =?UTF-8?Q?=3F=20Was=20=3A=20Re=3A=20pm&#
    ... where the ability to shutdown a system in your home is a security hole? ... In fact, if we want maxi security, $HOME should be mounted without execution rights. ... Forcing the security would mean here that, by default, Debian should mount $HOME with no-execute flag. ... Debian is one of the few distros, ...
    (Debian-User)
  • Debian 3.0r1 Warning, Comments & Questions 1/2
    ... > After two days of installing and reinstalling I have been able run Debian ... the "Security Update" has the latest version... ... hope you know how to install your own updates/fixes/patches etc... ... I'm also starting to hazard a guess here that you are not familiar with Linux ...
    (alt.linux)
  • Debians policy regarding security updates
    ... I can't quite figure out the policy of Debian with regard to security ... Debian will attempt to prepare a fix ... all packages in the latter group ...
    (comp.os.linux.security)
  • Re: Debian 3.0r1 Warning, Comments & Questions 1/2
    ... > Debian 3.0r1 and all basic things are working... ... the "Security Update" has the latest version... ... And I hope you know how to install your own ... I, personally, am a brand new linux ...
    (alt.linux)