Benjamin Scott wrote:
>
> On Mon, 23 Apr 2001, Kenneth E. Lussier wrote:
> > From the sounds of it, RH might be trying to repair their reputation as an
> > insecure distro.
>
> In all fairness, most of the security holes in Red Hat have been in the
> original packages (e.g., the recent BIND exploits). I suspect worms like
> Ramen and Lion were targeted at RH simply because they are more popular, and
> the designer wanted to target the largest population.
I don't blame RH for bugs and security holes in packages like BIND, lpd,
gpm, etc. The package maintainers are at fault there. What I blame RH
for is the way decide to configure these packages. For example, on a RH
system with BIND installed, named runs as root. Other distros change
this so that the default user that named runs as is an unpriviledged
user. Their install is good, at least I remember it as being pretty
good, and they have gone to great lengths to make it an easy to use
end-user system. However, it's hard to reach the largest population when
doing things to increase ease of use compromises the security of a
system. A reputation as a security risk in todays market completely
undermines any other good. It's unfortunate, but it's true. It doesn't
matter if it's a server or a workstation.
> Linux distributions *in general* have a reputation for being rather
> promiscuous in their default installs. Mandrake is the only one I have seen
> that offered any security options in the installer at all -- and I'm not
> familiar enough with Mandrake to know if they pulled it off.
A few months back Mandrakesoft hired Jay Beale, leader of the
Bastille-Linux project, to head up security efforts for their distro.
I'm not sure what he has accomplished, since I don't use Mandrake, but
it was a definate step in the right direction.
> And sure, you
> read about this or that fringe distribution with a focus on security, but
> really, *any* distribution should have a focus on security.
I agree that every distro should have a focus on security. I don't know
if I agree with the fringe distribution part, though. Debian seems to
have a good handle on security. The installer warns against suid
binaries, packages are centrally maintained and audited, and security
updates are released fairly quickly. I'm not saying that they are
perfect, but they seem to be slightly ahead of many other distributions.
> I just ordered SuSE 7.1 Pro last night -- I'll have to see how well that
> does.
Keep up (or at least me) posted on this. It's been a while since I used
SuSE.
C-Ya,
Kenny
--
-------------------------------------------------
Kenneth E. Lussier
Geek by nature, Linux by choice
PGP KeyID 0xD71DF198
Public key available @ http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
