[arch-general] Arch Linux and security - it needs some work
I really like Arch. I switched about a year ago after being a Debian user for nine years. There is something that troubles me though about Arch. Its lack of security focus. By this I mean there is no consistent way that security issues are dealt with. There was a proposal for 'The Arch Linux Security Team' but it seems to have fallen by the wayside[1]. I propose to resurrect this in the spirit of Arch's users becoming contributors. I, hopefully not alone wish to draw up a list of processes that can be used to create a dedicated Arch Linux security team that can deal quickly and efficiently with security alerts. It would need to be able to liaise successfully with Arch developers and hopefully over time security team members can become trusted users. I'm mentioning it now as I notice that an Arch Conference is being organised in Canada. One of my proposals (shamefully stolen from Debian) would be to have key-signing parties at Arch Linux meet-ups. This could then be used to create an Arch Linux web of trust. So basically I'm going to get my ideas into writing and post them on this list. I hope others will be willing to come forward and contribute too. After some discussion we should be able to reach a consensus and start giving security issues the priority they deserve. regards, Ananda Samaddar [1] http://wiki.archlinux.org/index.php/Security_Task_Force
On Sun, Jan 31, 2010 at 10:01, Ananda Samaddar <ananda.samaddar@vfemail.net> wrote:
I really like Arch. I switched about a year ago after being a Debian user for nine years. There is something that troubles me though about Arch. Its lack of security focus.
Basically this and everything related to it comes down to manpower. Every time it gets brought up, the response is "that would be nice" and then no one does anything. If you want to make it happen, then work on submitting patches and doing the legwork that needs to be done.
On Sun, Jan 31, 2010 at 9:05 AM, Daenyth Blank <daenyth+arch@gmail.com> wrote:
On Sun, Jan 31, 2010 at 10:01, Ananda Samaddar <ananda.samaddar@vfemail.net> wrote:
I really like Arch. I switched about a year ago after being a Debian user for nine years. There is something that troubles me though about Arch. Its lack of security focus.
Basically this and everything related to it comes down to manpower. Every time it gets brought up, the response is "that would be nice" and then no one does anything. If you want to make it happen, then work on submitting patches and doing the legwork that needs to be done.
Don't forget: everyone is interested in "starting discussions" or "planning" or "drawing up plans", but when it comes to the actual work well, then the original initiators get disinterested. It's as if the problem is purely academic and all that's needed is a solution and things will simply get implemented.
On Mon, Feb 1, 2010 at 3:14 PM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Sun, Jan 31, 2010 at 9:05 AM, Daenyth Blank <daenyth+arch@gmail.com> wrote:
On Sun, Jan 31, 2010 at 10:01, Ananda Samaddar <ananda.samaddar@vfemail.net> wrote:
I really like Arch. I switched about a year ago after being a Debian user for nine years. There is something that troubles me though about Arch. Its lack of security focus.
Basically this and everything related to it comes down to manpower. Every time it gets brought up, the response is "that would be nice" and then no one does anything. If you want to make it happen, then work on submitting patches and doing the legwork that needs to be done.
Don't forget: everyone is interested in "starting discussions" or "planning" or "drawing up plans", but when it comes to the actual work well, then the original initiators get disinterested. It's as if the problem is purely academic and all that's needed is a solution and things will simply get implemented.
How does Arch Linux far behind in security as compared to Debian. Perhaps I caught this conversation late but I would like to know what makes Debian better in aspects of security -vs- Arch? Can anyone please explain?
On Mon, Feb 1, 2010 at 15:17, Carlos Williams <carloswill@gmail.com> wrote:
How does Arch Linux far behind in security as compared to Debian. Perhaps I caught this conversation late but I would like to know what makes Debian better in aspects of security -vs- Arch? Can anyone please explain?
Mainly package signing I think
Am Mon, 1 Feb 2010 15:17:51 -0500 schrieb Carlos Williams <carloswill@gmail.com>:
How does Arch Linux far behind in security as compared to Debian. Perhaps I caught this conversation late but I would like to know what makes Debian better in aspects of security -vs- Arch? Can anyone please explain?
Debian keeps extremely outdated package versions in its repos - for "stability" *cough* - and needs to patch all of these packages regularly to fix the whole security bugs of these outdated packages. So they need a separate security team. Arch Linux is bleeding edge, is at least not much less if not more stable than Debian, because it usually only installs stable upstream releases, and therefore has always the latest upstream security fixes. If a security bug is found it should be filed to and fixed by upstream anyway. Greetings, Heiko
Le Mon, 1 Feb 2010 22:21:03 +0100, Heiko Baums <lists@baums-on-web.de> a écrit :
If a security bug is found it should be filed to and fixed by upstream anyway.
This is true, except sometimes upstream patching can take a while and it would be a good idea to warn users about the problem in the meantime so that they can take temporary measures. If there's a single thing that I miss about Arch security, it's Arch Sheriff : it basically did that. Maybe people who want to do something about security could begin with resurrecting it. -- catwell
If a security bug is found it should be filed to and fixed by upstream anyway. This is true, except sometimes upstream patching can take a while and it would be a good idea to warn users about the problem in the meantime so that they can take temporary measures. If there's a single thing
I suppose my problem with all the Arch security/insecurity talk is that it assumes that Arch users are not more than capable of reading lists and discovering bug and holes in software that we use daily. I don't think there has ever been an issue with an Arch package that wasn't fixed as soon as upstream made a fix available. We can't expect our small community to fix upstream bugs and issues. Moreover, the effort should be spent on addressing distribution specific shortcomings. Just my two cents. On Feb 1, 2010 5:56 PM, "Pierre Chapuis" <catwell@archlinux.us> wrote: Le Mon, 1 Feb 2010 22:21:03 +0100, Heiko Baums <lists@baums-on-web.de> a écrit : that I miss about Arch security, it's Arch Sheriff : it basically did that. Maybe people who want to do something about security could begin with resurrecting it. -- catwell
On Wednesday 03 February 2010 12:56:57 Robert Howard wrote:
suppose my problem with all the Arch security/insecurity talk is that it assumes that Arch users are not more than capable of reading lists and discovering bug and holes in software that we use daily. I don't think there has ever been an issue with an Arch package that wasn't fixed as soon as upstream made a fix available. We can't expect our small community to fix upstream bugs and issues. Moreover, the effort should be spent on addressing distribution specific shortcomings. Just my two cents.
+1. Thats why I am still subscribed to slackware security announcment, just for cross-check. So far it hasn't mattered :) I think the issue for arch is not patching, that is already as good as it gets but configuration. Hardened kernel + user space, multiple available kernels, such as RBAC,gresec etc. I guess the demand is simply not too great. I filed a request for smack inclusion some time back and it was attempted too but it did not play well with some other things. I guess it will take some time before it is mature enough. -- Regards Shridhar
On Mon, 1 Feb 2010 14:14:18 -0600 Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Sun, Jan 31, 2010 at 9:05 AM, Daenyth Blank
Don't forget: everyone is interested in "starting discussions" or "planning" or "drawing up plans", but when it comes to the actual work well, then the original initiators get disinterested. It's as if the problem is purely academic and all that's needed is a solution and things will simply get implemented.
I'm surmising that this has happened before. My solution to the 'security issue' would be administrative rather than technical to allay the fears of one poster who didn't want Arch to get overly complicated. I'm going to work on processes that a security team would need to follow when a security issue is disclosed. I'll post that here when it's done for discussion and comments so others can contribute. I've been mulling this over for a long time and I want to make my favourite distro even better. regards, Ananda Samaddar
On Mon, Feb 1, 2010 at 3:28 PM, Ananda Samaddar <mr.a.samaddar@googlemail.com> wrote:
On Mon, 1 Feb 2010 14:14:18 -0600 Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Sun, Jan 31, 2010 at 9:05 AM, Daenyth Blank
Don't forget: everyone is interested in "starting discussions" or "planning" or "drawing up plans", but when it comes to the actual work well, then the original initiators get disinterested. It's as if the problem is purely academic and all that's needed is a solution and things will simply get implemented.
I'm surmising that this has happened before. My solution to the 'security issue' would be administrative rather than technical to allay the fears of one poster who didn't want Arch to get overly complicated. I'm going to work on processes that a security team would need to follow when a security issue is disclosed. I'll post that here when it's done for discussion and comments so others can contribute. I've been mulling this over for a long time and I want to make my favourite distro even better.
regards,
Ananda Samaddar
Search the wiki for "security", you'll see what others have attempted to do.
Le Sun, 31 Jan 2010 15:01:15 +0000, Ananda Samaddar <ananda.samaddar@vfemail.net> a écrit :
After some discussion we should be able to reach a consensus and start giving security issues the priority they deserve.
Maybe this is the problem: some people (including me) might think that perfect security is not a priority. The people from Debian see it this way: security > functionnality > simplicity I see it the other way around: simplicity > functionnality > simplicity Meaning: I prefer something that is simple and insecure. I am OK with more security if it doesn't make Arch tools overly complex. Otherwise, because Arch is a desktop (as opposed to server) distribution, it is just not worth it. -- catwell
On 01/31/2010 08:31 PM, Ananda Samaddar wrote:
I really like Arch. I switched about a year ago after being a Debian user for nine years. There is something that troubles me though about Arch. Its lack of security focus. By this I mean there is no consistent way that security issues are dealt with. There was a proposal for 'The Arch Linux Security Team' but it seems to have fallen by the wayside[1]. I propose to resurrect this in the spirit of Arch's users becoming contributors.
I, hopefully not alone wish to draw up a list of processes that can be used to create a dedicated Arch Linux security team that can deal quickly and efficiently with security alerts. It would need to be able to liaise successfully with Arch developers and hopefully over time security team members can become trusted users.
I'm mentioning it now as I notice that an Arch Conference is being organised in Canada. One of my proposals (shamefully stolen from Debian) would be to have key-signing parties at Arch Linux meet-ups. This could then be used to create an Arch Linux web of trust.
So basically I'm going to get my ideas into writing and post them on this list. I hope others will be willing to come forward and contribute too. After some discussion we should be able to reach a consensus and start giving security issues the priority they deserve.
regards,
Ananda Samaddar
Key signing is not required for us I think. Because Arch people are the first to release package updates. It is tested properly and is given in .tar.gz archives. Even if a byte is altered in the archive then its md5sum would change so pacman will complain. -- Nilesh Govindarajan Site & Server Adminstrator www.itech7.com
On 01/31/2010 09:18 PM, Nilesh Govindarajan wrote:
On 01/31/2010 08:31 PM, Ananda Samaddar wrote:
[snip]
Key signing is not required for us I think. Because Arch people are the first to release package updates. It is tested properly and is given in .tar.gz archives. Even if a byte is altered in the archive then its md5sum would change so pacman will complain.
Close, but what about the package list? The proposals I've seen have mostly been to just sign the package list, since the md5 takes care of everything else.
participants (12)
-
Aaron Griffin
-
Ananda Samaddar
-
Ananda Samaddar
-
Brendan Long
-
Carlos Williams
-
Daenyth Blank
-
Eric Bélanger
-
Heiko Baums
-
Nilesh Govindarajan
-
Pierre Chapuis
-
Robert Howard
-
Shridhar Daithankar