On Thu, Sep 12, 2013 at 11:41 PM, adrelanos wrote: > How secure is a Debian installation packages installed only from main, > none from contrib or non-free?
Install and run debsecan on such a system to find out about the known vulnerabilities. For the unknown ones you have to audit the code running on your system and the potential code paths. Probably start with the Linux kernel. > It will lack for example the firmware-linux-nonfree package and the > intel-microcode / amd-microcode package. At least the microcode one is > security relevant? Are there any other packages which might be important > to have installed for security reasons? No known issues for these: https://security-tracker.debian.org/tracker/source-package/intel-microcode https://security-tracker.debian.org/tracker/source-package/amd-microcode One issue for the Broadcom BCM4325 and BCM4329 Wi-Fi firmware, not affected by Debian: https://security-tracker.debian.org/tracker/source-package/firmware-nonfree https://security-tracker.debian.org/tracker/CVE-2012-2619 http://bugs.debian.org/694716 > I mean, how secure is it in comparison with those packages installed vs > not having them installed? There is no way to judge that objectively since we don't have the code for them, don't know what the updates do and most of these are for unknown CPU architectures. Despite that, there has been some work on microcode reverse engineering: http://inertiawar.com/microcode/ I guess the rest of the thread covered the philosophical/theoretical side of things. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CAKTje6E4mOjJX+HByVmd01y4zi=bemyfcjc0zkozprhujer...@mail.gmail.com
