During the bombing raid on Fri, 10 Aug 2001 21:30:10 +0200, Marco Wesselgren
was heard mumbling in fear:
> I'm not claiming that Mandrake are insecure , just saying that there are
> more secure systems.
>
> Let's take two other operating system that are in general "secure" and
> compare them to Mandrake
>
> The first one Debian
>
> Debian releases packages in two groups Stable and Unstable , Stable has been
> tested for security and that it's actually stable on a running server.
Sure, and they have no bugs, right? like the one that killed apt about
3 months ago? and the one that uninstalled postfix and installed exim when
doing a *security-only* upgrade in my LUG's server? (and both of this happened
in a potato install...granted, second one was helped by admin stupidity, but it
shouldn't have happened anyway). Debian is as bug/error pron as any other
distro, if not more...there's way too many packages in it that need to be
audited.
> All packages released to Mandrake are directly from the CVS , almost anyway,
> and the bugtesting is up to the user , the package released
> haven't been tested enough(It takes some time to go through the code to
> remove obvious and less obvious exploit possibilities, it also takes time to
> remove
> bugs that can make your product vunerable to DOS attacks).
All I can say is...I've never had a mdk box cracked on my watch.
> Debian has an established way to patch the system called apt-get , you can
> run it from a script every hour if you feel like it.
And get your perfectly working postfix install b0rked up, right? that's
exactly what my co-admin in my LUG's box did, set a daily cronjob for
security-only updates...I killed him and then deleted the cronjob.
Also, I have apt installed in my 3 mdk servers (2 non-critical
production 8.0 servers at clients' sites and a test cooker server doing minor
internal database stuff for my company)...so, your point is...what?
> Yes you have mandrakeupdate which is a gui tool , how do you use that one on
> a server located 500 miles from you with the only
> possibilty to login is SSH(If you use telnet or RSH your main concern isn't
> security) , you could do it manually = it might not be done that often --->
Uh? not only you can install apt in your mandrake boxes, you can also
use urpmi which comes with mandrake and is a console updater that does
everything apt does (if not more, according to what I've heard...I use apt out
of habit).
> You've got yourself an insecure system.
If not having apt is the reason you are going to give me for an
insecure system, I'm really sorry for the stock company you work for...only
stupid carpenters blame the hammer for hitting their thumb.
> A mail from debian security , concerning all distros,
<snip>
I've seen a million security updates done to mandrake without any
discussion at all in the security list. The fact that security discussions in
the public mailing list don't happen doesn't mean they don't happen in the
private mandrake lists. This proves nothing, except that whoever posted that
doesn't have a clue about how mandrake works.
> The other one OpenBSD, well a quote from http://www.openbsd.org says it all
> :)
> "Four years without a remote hole in the default install!"
And if you read the small letter, the default install is unusable for
anything except running a local shell. So, again...what's the point? The
moment you change a single line in a configuration, they say it's not a default
install anymore and doesn't count if it gets cracked....it's pure marketing.
> I work as a System Administrator for stockmarket systems and we have
> security and stability as our main focus , we run every system on Debian and
> our firewalls are running OpenBSD.
If security is really your main concern, you really need to start
focusing on important matters, not on hersay and marketing.
> A few last word , want this thread to end , a system isn't more secure then
> the person who administer it makes it , but if he doesn't have the means to
> keep it secure it won't be secure.
"doesn't have the means"? like apt? come on.
> And yes I rather choose Mandrake on a firewall then a Windows version , but
> why not choose the most secure system while you're at it?
Which one is the most secure system? I guess that if we are going to
go over the number of cracks that happen to an OS, we all should be running our
firewalls and web servers on Macs...that's why the US Army chose it as their OS
for the web servers they have.
Vox
--
Pain is the gift of the gods, and I'm the one they chose as their messenger....
For info on safety in the BDSM lifestyle http://www.the-vox.com
Think of the Linux community as a niche economy isolated by its beliefs. Kind
of like the Amish, except that our religion requires us to use _higher_
technology than everyone else. -- Donald B. Marti Jr.
Vox populi, vox deii....
