Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: a secure base system
From: martin f krafft <madduck () madduck net>
Date: Mon, 15 Mar 2004 22:50:34 +0100

also sprach Tobias Weisserth <tobias () weisserth de> [2004.03.15.2208 +0100]:
Which means that he has to a little bit more work because he can't
*rely* on the distributor to supply patches in time. It's a trade-off.

Sure, it's a trade-off. But with the administrative tools provided
by Debian, as well as the cleanliness of a Debian system, I'd choose
that over OpenBSD anytime. After all, FHS-compliance and system
integrity/cleanliness contribute a significant portion to security.

He'll have to stay informed himself if the Debian Security Team
doesn't warn in time about critical packages in unstable or
testing. Maybe it mustn't be this way and there are regular
updates for unstable. But the Debian site itself advises against
the use of unstable regarding the security issues.

I use testing on over 100 production systems and have never had
a single problem. By the time that security updates make it to
security.debian.org for stable, an updated version makes it to
unstable. So I mix testing and unstable and only update when really
necessary. This has treated me very well.

And concerning workstations: your security better shield a security
problem on a workstation.

Non comprende? ;-)

If, in a productive setting, you are concerned about remote exploits
to your workstation, then you've got a whole different problem. Of
course, exploits may still come from inside, but the risk should be
relatively low since productive workstations should not be able to
inflict any harm.

Though a lot of work if we're talking about workstations here...

Our productive workstations get installed once and stay like that
for months. With the appropriate AIDE/Tripwire rulesets, that's not
different than a server.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net () madduck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
who's general failure, and why's he reading my disk?

Attachment: signature.asc
Description: Digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault