Re: [tor-talk] What's to be Done

[Jacob Appelbaum <jacob@xxxxxxxxxxxxx>]

Hi,

On 8/24/15, Apple Apple <djjdjdjdjdjdjd32@xxxxxxxxx> wrote:
> It's not a Debian specific problem. Even "Security Conscious" distros like
> Fedora only build a dozen or so key packages with pic and ssp because of
> performance concerns. Address sanatizor is obviously out of the question.

I think that this is where we'll find an advantage with Subgraph - who
is basically going to do the right thing with security all around.
They are basing a lot of their work on Debian, so I suspect some - if
not all - will be folded back into the mainline.

>
> Then of course Linux does not have proper ASLR without 3rd party kernel
> patches anyway making pie pretty pointless.

That's part of why you'd want grsec....

>
> There is a good article out there on why rsbac does not use lsm, I
> recommend you read it if you do not understand the current security vs
> performance dynamic within Linux. You should also read up on the history of
> Pax and ask why it is not in the mainline Linux tree.
>

I understand the major bits and I've talked with Spender a bit about
things we could do to ship useful configurations for a kernel.

> For whoever asked about previous Debian specific attempts I suggest you
> look into a project called mempo, now defunct of course.
>

I'm familiar with mempo - it is defunct because they did not actually
take the time to work on integrating it with Debian properly. They did
their own thing and it was nearly impossible for even interested
parties to review it. Very sad but shows the importance of taking the
harder Debian direction of travel if we want Debian's sustainability.

> Given what I've said above we return to my original point. No mainstream
> distro, especially Debian, is willing to pay the cost (mostly performance)
> for adding meaningful security. If your plan is to try to bulldoze all this
> stuff into Debian testing, that's not going to work...

My plan is to ensure that we improve a number of things - we won't get
ASAN for every package in the archive by defaut, obviously. We will
finally have rpc turned off by default and we will have a grsec
enabled kernel as an option. That is a starting point and it is an
incremental improvement. For everything else, I think we'll see an
uptick in SubgraphOS users that fold positive things back into Debian
proper.

All the best,
Jacob
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk