On Fri, Sep 13, 2013 at 8:42 AM, adrelanos <[email protected]> wrote: > adrelanos: >> How secure is a Debian installation packages installed only from main, >> none from contrib or non-free? >> >> It will lack for example the firmware-linux-nonfree package and the >> intel-microcode / amd-microcode package. At least the microcode one is >> security relevant? Are there any other packages which might be important >> to have installed for security reasons? >> >> I mean, how secure is it in comparison with those packages installed vs >> not having them installed? >> >> > > I apologize, I didn't want to start a discussion of Open Source vs > closed source. (Feel free to have it, I am delighted to read your > thoughts on it, but I'd be also happy about an answer to the question I > meant to ask but failed to properly state.) Sorry for not asking clear > in the first place. > > To rephrase my original question: > > How vulnerable is Debian installation without intel-microcode / > amd-microcode package?
No one knows. We can only guess. Our guess includes an assumption that Intel or AMD would or would not deliberately sabotage their products at the instigation of an organization like the Chinese/Taiwanese government or the NSA or some similar equivalent or not-so-equivalent secret organization. Ken Thompson gave us the archetype response on this question when he described a way to grandfather a backdoor password into (the libraries used by) a C compiler such that it would not show in the source but would be present in the object. I assume you have read his essay on trusting trust? (1) All we can say for sure is that anything that is open is inherently more open than anything that is closed. (2) Anything we didn't build ourselves may be deliberately sabotaged. (3) Anything we do build ourselves will have accidental gaping holes. (4) When we work with friends, we can do more than when we work alone. None of that tells us how bad Intel and AMD are screwing up, and which directions they are running with the ball in the hardware camp. They are primarily concerned with features that sell or otherwise obviously make them money. Until sometime in the future (closer now than a year ago), security does not sell, does not obviously make them money. <rant-mode> That's the short-sightedness of capital based economy when interest-holders are not well-versed in the technological details of a company's products or of the impact that product has in the market and where it gets used. I hate to bring up the G-word again, but we humans work beyond the edge of our abilities, we end up depending on someone being more than human. And we refuse to accept the limitations of working within our abilities, just like we refuse to believe we are as limited as we are. Fortunately, G?? (or the universe) seems to have given us room to make mistakes in this way, up to a point. Our next big mistake is to hope that the natural consequences (or punishments of G??) will never catch up to us. </rant-mode> > Are there other contrib and/or non-free packages, similar to the > microcode package, which make the system vulnerable, if not installed? Depends on what you're using the system for. Wish I could say more, but we are really just barely beginning to scratch the surface of building a stable computer technology. And the big boys are all about intellectual property right now, and as long as they are playing those games, we aren't going to get any further on what you need to be able to answer that question, essentially a database of function vs. package vs. target use, and the interplay thereof. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CAAr43iN-ieCCU0jQvW6Hi9qcKTbKTBnn7=shtvx89vfxseq...@mail.gmail.com
