[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040315215034.GA31982@piper.madduck.net>
From: madduck at madduck.net (martin f krafft)
Subject: Re: Re: a secure base system
also sprach Tobias Weisserth <tobias@...sserth.de> [2004.03.15.2208 +0100]:
> Which means that he has to a little bit more work because he can't
> *rely* on the distributor to supply patches in time. It's a trade-off.
Sure, it's a trade-off. But with the administrative tools provided
by Debian, as well as the cleanliness of a Debian system, I'd choose
that over OpenBSD anytime. After all, FHS-compliance and system
integrity/cleanliness contribute a significant portion to security.
> He'll have to stay informed himself if the Debian Security Team
> doesn't warn in time about critical packages in unstable or
> testing. Maybe it mustn't be this way and there are regular
> updates for unstable. But the Debian site itself advises against
> the use of unstable regarding the security issues.
I use testing on over 100 production systems and have never had
a single problem. By the time that security updates make it to
security.debian.org for stable, an updated version makes it to
unstable. So I mix testing and unstable and only update when really
necessary. This has treated me very well.
> > And concerning workstations: your security better shield a security
> > problem on a workstation.
>
> Non comprende? ;-)
If, in a productive setting, you are concerned about remote exploits
to your workstation, then you've got a whole different problem. Of
course, exploits may still come from inside, but the risk should be
relatively low since productive workstations should not be able to
inflict any harm.
> Though a lot of work if we're talking about workstations here...
Our productive workstations get installed once and stay like that
for months. With the appropriate AIDE/Tripwire rulesets, that's not
different than a server.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@...duck
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
who's general failure, and why's he reading my disk?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040315/fdbf1d50/attachment.bin
Powered by blists - more mailing lists