[arch-general] New Google Group for discussion and notices on Arch security.

[C Anthony Risinger]

On Thu, Jun 17, 2010 at 6:12 PM, Burlynn Corlew Jr <burlynn at gmail.com> wrote:
> I am going to vote that you please do not CC all of this to arch-general.
> Many of us are not concerned with this, and already this afternoon I've seen
> enough mail regarding it that I can see it as a problem. The arch-security
> list has been denied, and it seems to me all this is doing is trying to
> circumvent the denial. Your google group is your business, but I feel that
> forwarding to arch-general, the most popular list we have, is unfair to
> those who do not wish to be involved.

beh, finally :-D

and i agree with others that if you're not interested in following the
rolling release for 'security reasons' then you're probably headed for
more complications than it's worth.

security is a vast a wide concept, full of crevasses and bear traps.
'securing' and auditing an entire distribution full of a heterogeneous
software is the job of a full-time paid staff of security experts,
engineers, and upstream developers.  even that may not produce much.
anything less will add complexity due to naive diagnosis, and will not
be worth the massive amount of time expended in the process.

however, you can be a security conscious administrator.  learn in
depth the specific systems/daemons/applications that you depend on.
learn them, and really understand their roles, relationships, and I/O
points in relation to the other software on the system.  monitor your
systems and look for that which does not fit.

security is the responsibility of those deploying, not those
packaging.  it requires end-to-end oversight and complete
configuration toward a specific and particular purpose; something that
is not possible for those creating a distribution for a generic,
multi-purpose user base.