| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040315215034.GA31982@piper.madduck.net> From: madduck at madduck.net (martin f krafft) Subject: Re: Re: a secure base system also sprach Tobias Weisserth <tobias@...sserth.de> [2004.03.15.2208 +0100]: > Which means that he has to a little bit more work because he can't > *rely* on the distributor to supply patches in time. It's a trade-off. Sure, it's a trade-off. But with the administrative tools provided by Debian, as well as the cleanliness of a Debian system, I'd choose that over OpenBSD anytime. After all, FHS-compliance and system integrity/cleanliness contribute a significant portion to security. > He'll have to stay informed himself if the Debian Security Team > doesn't warn in time about critical packages in unstable or > testing. Maybe it mustn't be this way and there are regular > updates for unstable. But the Debian site itself advises against > the use of unstable regarding the security issues. I use testing on over 100 production systems and have never had a single problem. By the time that security updates make it to security.debian.org for stable, an updated version makes it to unstable. So I mix testing and unstable and only update when really necessary. This has treated me very well. > > And concerning workstations: your security better shield a security > > problem on a workstation. > > Non comprende? ;-) If, in a productive setting, you are concerned about remote exploits to your workstation, then you've got a whole different problem. Of course, exploits may still come from inside, but the risk should be relatively low since productive workstations should not be able to inflict any harm. > Though a lot of work if we're talking about workstations here... Our productive workstations get installed once and stay like that for months. With the appropriate AIDE/Tripwire rulesets, that's not different than a server. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@...duck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! who's general failure, and why's he reading my disk? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040315/fdbf1d50/attachment.bin
Powered by blists - more mailing lists