Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Security

List purpose (was: Sorry for testing the list...)

  

 
Gentoo security RSS feed   Index | Next | Previous | View Threaded


koon at gentoo

Dec 20, 2004, 3:26 AM

Post #1 of 7 (673 views)
Permalink
List purpose (was: Sorry for testing the list...)
Peter Karlsson wrote:

> Is this a general security discussion list or a gentoo security updates
> list? Shouldn't there be lots of discussions regarding firewall filter
> rules, IDS, SELinux, etc?
>
> Just for the sake of it? ;-)

It's a general Gentoo security discussion list.

Gentoo-related vulnerabilities are submitted to Bugzilla
(Product=GentooSecurity / Component=Vulnerabilities) and GLSAs are
posted to gentoo-announce, so it's not the best place to discuss
security updates, vulnerabilities or GLSA errors (which should be in
Bugzilla Gentoo Security / Component="GLSA Errors").

We discuss major security policy changes here, and also have discussions
on the general subject of Gentoo and Security (like the use of MD5 only
in portage, or the lack of tree signing). You can post general security
subjects here but you might find the list a little quiet for this and
prefer to post to another list with wider audience (like the
securityfocus ones).

It's true this list may have a too narrow purpose, especially with the
existence of the gentoo-hardened and gentoo-server lists which overlap
parts of it...

--
Thierry Carrez (Koon)
Operational Manager, Gentoo Linux Security
Attachments: signature.asc (0.18 KB)


petekarl at student

Dec 20, 2004, 4:28 AM

Post #2 of 7 (643 views)
Permalink
Re: List purpose (was: Sorry for testing the list...) [In reply to]
On Mon, 20 Dec 2004, Thierry Carrez wrote:

> It's a general Gentoo security discussion list.

Well, I wasn't that serious about the question (hence the ;-) smiley) but
I thought that a security list should be a little more "livelier" than
what it currently is.

> Gentoo-related vulnerabilities are submitted to Bugzilla
> (Product=GentooSecurity / Component=Vulnerabilities) and GLSAs are
> posted to gentoo-announce, so it's not the best place to discuss
> security updates, vulnerabilities or GLSA errors (which should be in
> Bugzilla Gentoo Security / Component="GLSA Errors").

Ok, I'm new to gentoo. GLSA=GentooLinuxSecurityAnnouncement?

> We discuss major security policy changes here, and also have discussions
> on the general subject of Gentoo and Security (like the use of MD5 only
> in portage, or the lack of tree signing). You can post general security
> subjects here but you might find the list a little quiet for this and
> prefer to post to another list with wider audience (like the
> securityfocus ones).

So what's up with the md5 -> pgp-signing of packages/sources?
And why is there no basic firewall rules applied in gentoo? (I may have
missed something)

> It's true this list may have a too narrow purpose, especially with the
> existence of the gentoo-hardened and gentoo-server lists which overlap
> parts of it...

I thought gentoo-hardened was the paranoid sysop's list with everything
locked down, down to a near unusable machine. ;-)
Well, I would like to move closer to a hardened machine in the future but
not right now; I have other, more pressing, goals.

Perhaps gentoo-hardened and gentoo-security could be combined?

Best regards

Peter K

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security [at] gentoo mailing list


lewk at gentoo

Dec 20, 2004, 7:03 AM

Post #3 of 7 (643 views)
Permalink
Re: List purpose (was: Sorry for testing the list...) [In reply to]
On Mon, Dec 20, 2004 at 12:28:03PM +0100, Peter Karlsson wrote:
> Well, I wasn't that serious about the question (hence the ;-) smiley)

Since when do smiley's diminish the notion of seriousness? ;)


luke
--
Luke Macken <lewk [at] gentoo>


lami at bonbox

Dec 20, 2004, 8:05 AM

Post #4 of 7 (649 views)
Permalink
Re: List purpose [In reply to]
>>Well, I wasn't that serious about the question (hence the ;-) smiley)
>>
>>
>Since when do smiley's diminish the notion of seriousness? ;)
>
>
Since they were invited? :) If I remember right, it was main purpose.
Depends on what smile it is.

Lami

--
gentoo-security [at] gentoo mailing list


koon at gentoo

Dec 20, 2004, 9:25 AM

Post #5 of 7 (653 views)
Permalink
Re: List purpose [In reply to]
Peter Karlsson wrote:

> Ok, I'm new to gentoo. GLSA=GentooLinuxSecurityAnnouncement?

Yes.

> So what's up with the md5 -> pgp-signing of packages/sources?

Double hashing (SHA1+MD5) and GPG-signing of Manifests (and getting all
/usr/portage files signed at some point) are all under way. I still hope
at least one of those projects will be finished by 2005.0 release.

> And why is there no basic firewall rules applied in gentoo? (I may have
> missed something)

You mean having some sort of default firewall protection after a default
install ? I don't think we'll do it. A stage 3 leaves you with no
services running so basically you don't need a default firewall. If you
switch services on you should probably get one, but that "probably"
means some user don't need one and will not clutter their machine with
it. As Gentoo is about choice, we keep everything "optional" and the
system profile to a bare minimum.

> I thought gentoo-hardened was the paranoid sysop's list with everything
> locked down, down to a near unusable machine. ;-)

Hardened machines are not unusable. They just run one of the hardened
kernels with some security features enabled. This ranges from a simple
GRSEC/PaX hardening to a full SELinux permission-based system.

> Well, I would like to move closer to a hardened machine in the future but
> not right now; I have other, more pressing, goals.
>
> Perhaps gentoo-hardened and gentoo-security could be combined?

They could. I don't follow the hardened list so I don't know if they
suffer from the same traffic problem as we do. Probably there are the
usual support requests that keep it alive...

--
Koon

--
gentoo-security [at] gentoo mailing list


genone at gentoo

Dec 22, 2004, 4:57 PM

Post #6 of 7 (647 views)
Permalink
Re: List purpose [In reply to]
On Mon, 20 Dec 2004 17:25:49 +0100
Thierry Carrez <koon [at] gentoo> wrote:

> Peter Karlsson wrote:
>
> > Ok, I'm new to gentoo. GLSA=GentooLinuxSecurityAnnouncement?
>
> Yes.
>
> > So what's up with the md5 -> pgp-signing of packages/sources?
>
> Double hashing (SHA1+MD5) and GPG-signing of Manifests (and getting
> all/usr/portage files signed at some point) are all under way. I still
> hope at least one of those projects will be finished by 2005.0
> release.

You saw the mail I sent to -dev about the problems with SHA1 digests a
few weeks ago? Basically it requires a new portage release for
devs and *all* users *have to* use >=portage-2.0.51. Unlikely that will
be done by 2005.0, maybe 2005.1.

Marius

--
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.


petekarl at student

Dec 23, 2004, 7:45 PM

Post #7 of 7 (641 views)
Permalink
Re: List purpose [In reply to]
On Mon, 20 Dec 2004, Thierry Carrez wrote:

> > So what's up with the md5 -> pgp-signing of packages/sources?
>
> Double hashing (SHA1+MD5) and GPG-signing of Manifests (and getting all
> /usr/portage files signed at some point) are all under way. I still hope
> at least one of those projects will be finished by 2005.0 release.

Good to know.

> You mean having some sort of default firewall protection after a default
> install ? I don't think we'll do it. A stage 3 leaves you with no
> services running so basically you don't need a default firewall. If you
> switch services on you should probably get one, but that "probably"
> means some user don't need one and will not clutter their machine with
> it. As Gentoo is about choice, we keep everything "optional" and the
> system profile to a bare minimum.

Well, I just thought a minimal firewall script would be handy for those
that installs X for instance... and also for paranoid geeks like me. ;-)

> > I thought gentoo-hardened was the paranoid sysop's list with everything
> > locked down, down to a near unusable machine. ;-)

> Hardened machines are not unusable. They just run one of the hardened
> kernels with some security features enabled. This ranges from a simple
> GRSEC/PaX hardening to a full SELinux permission-based system.

I wasn't serious when I said unusable, although a hardened machine could
be made unusable, if you're not careful. I'm planning on doing a
semi-hardening myself when I can find the time (this of course involves
doing a full re-install).

> > Perhaps gentoo-hardened and gentoo-security could be combined?
>
> They could. I don't follow the hardened list so I don't know if they
> suffer from the same traffic problem as we do. Probably there are the
> usual support requests that keep it alive...

Probably.

Merry x-mas & a happy new year to all!

Peter K

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security [at] gentoo mailing list

Gentoo security RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.