[arch-general] ALSTF (Arch Linux Security Task Force)?
:-) I've found such a topic when browsing the Wiki: http://wiki.archlinux.org/index.php/Security_Task_Force Well, sound like a very smart idea. IMHO it's a thing that makes a distro more 'prestigious' -- it's quite difficult to convince someone to using a distro for something more than just a testing workstation if it's security is, let's say... 'unknown'. Unfortunately there *are* some regressions in the upstream that make the latest stable releases vulnerable. In fact it's the main reason that prevents my faculty from switching from Gentoo and log-time compilations to simple and KISS-ing Arch. Any work toward ALSTF in the recent past? Best regards, Marek
On 12/06/10 19:06, Marek Kozlowski wrote:
:-)
I've found such a topic when browsing the Wiki:
http://wiki.archlinux.org/index.php/Security_Task_Force
Well, sound like a very smart idea. IMHO it's a thing that makes a distro more 'prestigious' -- it's quite difficult to convince someone to using a distro for something more than just a testing workstation if it's security is, let's say... 'unknown'. Unfortunately there *are* some regressions in the upstream that make the latest stable releases vulnerable. In fact it's the main reason that prevents my faculty from switching from Gentoo and log-time compilations to simple and KISS-ing Arch. Any work toward ALSTF in the recent past?
Nope... there has been a lot of talk but nothing ever comes of it (apart from a wiki page it seems!). Allan
On 06/12/2010 10:06 AM, Marek Kozlowski wrote:
:-)
I've found such a topic when browsing the Wiki:
http://wiki.archlinux.org/index.php/Security_Task_Force
Well, sound like a very smart idea. IMHO it's a thing that makes a distro more 'prestigious' -- it's quite difficult to convince someone to using a distro for something more than just a testing workstation if it's security is, let's say... 'unknown'. Unfortunately there *are* some regressions in the upstream that make the latest stable releases vulnerable. In fact it's the main reason that prevents my faculty from switching from Gentoo and log-time compilations to simple and KISS-ing Arch. Any work toward ALSTF in the recent past?
After reading the wiki page it seems that at least the part of keeping with the latest _stable_ upstream release is already followed (within reasonable limits not to break stuff for everyone), if not then lots of families will cry, scream and ask why package foo hasn't been updated to the latest upstream release :P On the other hand, the security business seems to be a full time job, Arch's devs already donate a considerable time to maintain Arch and keep things running smoothly, I am very grateful for that and in my opinion they do a great job and it is selfish to ask them to do even more. The other side of things, and I've seen it popping up here and in the forums, is the use of selinux and similar security measures. People that have opted to use Arch because of it's philosophy are most probably people that really want to have a grasp of how things work and want to know how to solve problems, therefore typically they don't bite more than they can chew and start simple.
From my very limited experience, selinux is not easy to manage unless you really know what you are doing and most users do not ask for it so devs and TU's don't spend time maintainning something that no one uses.
My guess is that if you really need these features and peace of mind you have two options, either start the effort to maintain it within Arch, if you have the time and feel up to it, or use another distro in your critical machines that provides these features for you. I guess that up until now no one felt capable of tackling this task or the itch wasn't that bad :P -- Mauro Santos
participants (3)
-
Allan McRae
-
Marek Kozlowski
-
Mauro Santos