The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suid programs and security

Fabien Ninoles wrote:
> I would like to know if their people out there wanting to work on a
> "especially secure" distribution of Debian? It will be base on the free
> packages (including non-us) around there, carefully choice and tested to
> give a more secure debian system. *EXAMPLES* of main lines:

I'd like to see the current debian distribution made more secure.  I
believe your ideas could be integrated into the existing distribution,
and that a meta-package could be made for adding all of them if desired.

I agree that various things like shadow passwords (and PAM) are a very
good idea; I'd personally like to see that in the main distribution
right after the next release, so we can focus on testing procedure this
time around - hopefully starting soon, if not immediately.  (For what
it's worth, I did the initial port of John Haugh's shadow password
package to linux, back around 0.13 or 0.95; Linus felt it was too big at
the time...)

I think the main barrier to high security in debian is communication
overhead.

	People outside debian have the perception that debian doesn't
	care about security.

	Many of the people inside debian are working very hard on
	security.

	Many of the people inside debian believe there is no effort
	being made to communicate security issues to them from outside.

	I think this is because there are so many debian developers,
	that people outside debian don't know who to contact, and
	(somewhat understandably) don't want to take the term to learn
	how to find out.

I think ensuring that debian is in all the CERT advisories, with
rediculously-simple FIXES a high percentage of the time, is key in
increasing debian's appeal.  Responses on bugtraq are also very
important.

I've been doing some messages on bugtraq, very unofficially.  I'll shut
up the moment someone is (publically?) appointed to do it by the BoD.  I
definitely don't have my heart set on doing this, but it really should
be done, IMO.


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com