On Tue, 22 Apr 2003 21:08, Sebastian Zimmermann wrote: > what is your opinion on the recently released Trusted Debian > (http://www.trusteddebian.org/)? It is claimed that it is more secure > than regular woody, however, there is no security team. I don't want to > discuss security though, but whether or not an ISP should use it.
I am running an ISP on SE Linux with Brian May's back-port packages and it's going well. In total I am running four SE Linux machines with full Internet access 24*7, they all perform well in every way. The majority of security advisories are not a big deal to me as SE Linux policy prevents the programs in question from gaining the access needed to cause problems. So often I don't have to upgrade in a hurry when a security advisory comes out, I can wait days or weeks to perform an orderly upgrade if necessary. I have run a SE Linux test machine at various times on which I give anonymous root access to the world and challenge people to try and crack it (but no-one has achieved anything since the 18th of June 2002). All my SE Linux work is in progress of becoming part of Debian. I have been packaging the LSM (Linux Security Modules) kernel patches that include SE Linux for almost two years. The base SE Linux packages are in Debian, and I hope that by the time Sarge is released the distribution CDs will have enough packages to make SE Linux usable. I think that my SE Debian work is making better progress than the Trusted Debian work. RSBAC (which Trusted Debian relies on) is not in Debian. I made an initial set of kernel patch packages which apparently no-one even bothered testing so I never uploaded them to Debian. Because of this level of apparent dis-interest RSBAC is not in Debian and it seems that Trusted Debian will remain separate from Debian. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
