[plug] Installfest - distributions

Christian christian at amnet.net.au
Fri Aug 25 12:55:02 WST 2000 

On Thu, Aug 24, 2000 at 11:38:20AM +0800, Bret Busby wrote:
 
> Regarding Red Hat, and the issue of security; does the "least stringent
> security" apply to local, or external security? Where ipchains is used
> (we have a quite complicated firewall script, that Christian had a look
> at, and said that it was too long and complicated to try to easily
> understand), isn't something like the implementation of the ipchains
> utility in a distribution, generic across the distributions? By that, I
> mean the actual code for the application (ipchains); isn't it the same,
> regardless of the distribution? Thus, if an ipchains firewall is used,
> shouldn't that overcome the security issues as far as security external
> to a LAN is concerned, if an external entity can't see past the firewall
> (on the ideal basis that a firewall is infallible, which, I believe they
> aren't; my understanding is that they just increase the probability of
> security)?

Bret, to paraphase Bruce Schneier, security is not a program, it's a
process.  The only system I know that obtains security by merely
installing it is OpenBSD, and even then there are things you can do to
improve its security.  All Linux distributions are mediocre, at best,
when it comes to security.  The difference is, how much work (i.e., the
process bit) needs to be done to bring them up to scratch.  Security
requires both understanding the issues and knowing what to do.
"Hardening" scripts are semi-useful because they partially handle the
second bit but are not the answer because they don't handle the first at
all.  If you're so worried about security then register interest (and
enrol!) in the security unit I'm planning to run second semester next
year.  You can get more info at http://stallman.murdoch.edu.au.  That
way you will (hopefully) understand the *process* of security instead of
being caught up with the idea of different programs giving you security.

> Regarding Debian, and one of the more knowledgeable on the list can
> perhaps clarify this, but, in addition to the above comments about
> Debian, isn't it supposed to be easier (apart from the information on
> the debian.org website), to upgrade from one version of debian, to the
> next? While we have last weekend done an easy upgrade, from RH 6.0 to RH
> 6.2, I understand that RH cannot be upgraded from a first digit version
> number to a later first digit version number (eg, upgrading my RH 5.2 to
> RH 6.2); that it has to be done as a clean instal, but, that with
> Debian, it can be done, easily and simply. Am I correct in this belief?
> If so, that may be worth including in the comments about Debian. If I am
> mistaken, then, I can learn from the mistake. 

Debian will upgrade from successive stable distributions with virtually
no hitches.  It's also trivial to upgrade software and keep things up to
date (which helps with security).

Regards,

Christian.

More information about the plug mailing list