FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 03-15-2010, 07:03 PM
Pierre Schmitz
 
Default Arch Linux security is still poor....

Am Montag, 15. Mrz 2010 20:54:03 schrieb Ananda Samaddar:
> The reason I'm asking is I want to know to whom I address my proposals
> when they are finished.

Simple: File a bug report or feature request at bugs.archlinux.org. No idea
what your "proposals" are about but you should make sure they only address a
single concrete issue.

Pierre

--

Pierre Schmitz, https://users.archlinux.de/~pierre
 
Old 03-15-2010, 07:37 PM
Aaron Griffin
 
Default Arch Linux security is still poor....

On Mon, Mar 15, 2010 at 3:03 PM, Pierre Schmitz <pierre@archlinux.de> wrote:
> Am Montag, 15. Mrz 2010 20:54:03 schrieb Ananda Samaddar:
>> The reason I'm asking is I want to know to whom I address my proposals
>> when they are finished.
>
> Simple: File a bug report or feature request at bugs.archlinux.org. No idea
> what your "proposals" are about but you should make sure they only address a
> single concrete issue.

Agreed. Send them through the bug tracker so the relevant people can be notified
 
Old 03-15-2010, 08:29 PM
Allan McRae
 
Default Arch Linux security is still poor....

On 16/03/10 06:37, Aaron Griffin wrote:

On Mon, Mar 15, 2010 at 3:03 PM, Pierre Schmitz<pierre@archlinux.de> wrote:

Am Montag, 15. Mrz 2010 20:54:03 schrieb Ananda Samaddar:

The reason I'm asking is I want to know to whom I address my proposals
when they are finished.


Simple: File a bug report or feature request at bugs.archlinux.org. No idea
what your "proposals" are about but you should make sure they only address a
single concrete issue.


Agreed. Send them through the bug tracker so the relevant people can be notified



As an aside, I would like to see some numbers on where we could improve
in this area. I have been following the CVE announcements and several
other distros security releases for the past few months and from what I
see, I believe Arch is mostly ahead of the game. Following the latest
upstream releases has its advantages.


Allan
 
Old 03-15-2010, 08:43 PM
Ananda Samaddar
 
Default Arch Linux security is still poor....

On Tue, 16 Mar 2010 07:29:45 +1000
Allan McRae <allan@archlinux.org> wrote:
>
> As an aside, I would like to see some numbers on where we could
> improve in this area. I have been following the CVE announcements
> and several other distros security releases for the past few months
> and from what I see, I believe Arch is mostly ahead of the game.
> Following the latest upstream releases has its advantages.
>
> Allan
>

This may be true in the sense that by using the latest packages we are
incorporating security fixes as they are released by default. I take
issue with the fact that there's no dedicated team and nothing in place
to deal with security alerts. The other issue being the lack of signed
packages. I don't know how much of a problem this is for other Arch
users.

Would there be any enthusiasm for a dedicated security team? I feel
strongly enough about it that if something can't be done then I'm
switching to another distro. Despite the fact that I really like Arch,
it's one deficiency is a pretty glaring one in my opinion. I hope this
doesn't turn into a flamefest and my opinions are by no means meant to
be a slight on the Arch devs or community.

Ananda
 
Old 03-15-2010, 08:55 PM
Gaurish Sharma
 
Default Arch Linux security is still poor....

On Tuesday 16 Mar 2010 2:59:45 am Allan McRae wrote:


>
> As an aside, I would like to see some numbers on where we could improve
> in this area. I have been following the CVE announcements and several
> other distros security releases for the past few months and from what I
> see, I believe Arch is mostly ahead of the game. Following the latest
> upstream releases has its advantages.
>
> Allan
Hi Allan,
The major thing we are missing on is: Package signing
It there is a need to catch up with other distros on this.
Package signing is extremely important to ensure that nobody can tamper the
packages. similarly should be way to package's integrity

--
Regards,
Gaurish Sharma
www.gaurishsharma.com
 
Old 03-15-2010, 08:56 PM
Daenyth Blank
 
Default Arch Linux security is still poor....

On Mon, Mar 15, 2010 at 17:43, Ananda Samaddar <ananda@samaddar.co.uk> wrote:
> Would there be any enthusiasm for a dedicated security team?

This has been proposed multiple times, but oddly enough no one who has
proposed it has ever taken any steps to make it happen...
 
Old 03-15-2010, 08:56 PM
Thayer Williams
 
Default Arch Linux security is still poor....

On Mon, Mar 15, 2010 at 2:43 PM, Ananda Samaddar <ananda@samaddar.co.uk> wrote:
> Would there be any enthusiasm for a dedicated security team? *I feel
> strongly enough about it that if something can't be done then I'm
> switching to another distro. Despite the fact that I really like Arch,
> it's one deficiency is a pretty glaring one in my opinion. *I hope this
> doesn't turn into a flamefest and my opinions are by no means meant to
> be a slight on the Arch devs or community.

No offence taken and FWIW a lot of people switch distros because of
one or two fundamental needs that aren't meant. This wouldn't be any
different.

Look forward to hearing what you have to say...
 
Old 03-15-2010, 08:58 PM
Thayer Williams
 
Default Arch Linux security is still poor....

On Mon, Mar 15, 2010 at 2:56 PM, Thayer Williams <thayerw@gmail.com> wrote:
> On Mon, Mar 15, 2010 at 2:43 PM, Ananda Samaddar <ananda@samaddar.co.uk> wrote:
>> Would there be any enthusiasm for a dedicated security team? *I feel
>> strongly enough about it that if something can't be done then I'm
>> switching to another distro. Despite the fact that I really like Arch,
>> it's one deficiency is a pretty glaring one in my opinion. *I hope this
>> doesn't turn into a flamefest and my opinions are by no means meant to
>> be a slight on the Arch devs or community.
>
> No offence taken and FWIW a lot of people switch distros because of
> one or two fundamental needs that aren't meant. *This wouldn't be any
> different.

...because of one or two fundamental needs that aren't MET; not meant.
Carry on =)

Mon Mar 15 23:30:01 2010
Return-path: <marketing-bounces@lists.fedoraproject.org>
Envelope-to: tom@linux-archive.org
Delivery-date: Mon, 15 Mar 2010 23:28:50 +0200
Received: from bastion.fedoraproject.org ([209.132.182.51]:35010)
by s2.java-tips.org with esmtp (Exim 4.69)
(envelope-from <marketing-bounces@lists.fedoraproject.org>)
id 1NrHqE-0006TU-Cn
for tom@linux-archive.org; Mon, 15 Mar 2010 23:28:50 +0200
Received: from lists.fedoraproject.org (collab1.vpn.fedoraproject.org [192.168.1.21])
by bastion02.phx2.fedoraproject.org (Postfix) with ESMTP id 981BC10FA12;
Mon, 15 Mar 2010 21:59:29 +0000 (UTC)
Received: from collab1.fedoraproject.org (localhost.localdomain [127.0.0.1])
by lists.fedoraproject.org (Postfix) with ESMTP id 29ECC32676D;
Mon, 15 Mar 2010 21:59:29 +0000 (UTC)
X-Original-To: marketing@lists.fedoraproject.org
Delivered-To: marketing@lists.fedoraproject.org
Received: from smtp-mm2.fedoraproject.org (smtp-mm2.fedoraproject.org
[66.35.62.164])
by lists.fedoraproject.org (Postfix) with ESMTP id B190B32676C
for <marketing@lists.fedoraproject.org>;
Mon, 15 Mar 2010 21:59:27 +0000 (UTC)
Received: from mail-iw0-f195.google.com (mail-iw0-f195.google.com
[209.85.223.195])
by smtp-mm2.fedoraproject.org (Postfix) with ESMTP id 48DF1E73C5
for <marketing@lists.fedoraproject.org>;
Mon, 15 Mar 2010 21:59:27 +0000 (UTC)
Received: by iwn33 with SMTP id 33so758176iwn.23
for <marketing@lists.fedoraproject.org>;
Mon, 15 Mar 2010 14:59:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.167.135 with SMTP id q7mr14053iby.84.1268690334340; Mon,
15 Mar 2010 14:58:54 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.00.1003151751520.6250@localhost.loca ldomain>
References: <alpine.LFD.2.00.1003151701540.6250@localhost.loca ldomain>
<1268687649.2531.22.camel@localhost> <4B9EAA0E.5030701@redhat.com>
<alpine.LFD.2.00.1003151746350.6250@localhost.loca ldomain>
<alpine.LFD.2.00.1003151751520.6250@localhost.loca ldomain>
From: =?ISO-8859-1?Q?Wolnei_C�ido_Tomazelli_Junior? <junior@projetofedora.org>
Date: Mon, 15 Mar 2010 18:58:34 -0300
X-Google-Sender-Auth: ce8f05b26c36e9ef
Message-ID: <d2bf83a71003151458ib393a95mac417c6a61ff1281@mail. gmail.com>
Subject: Re: F13 (and onward) default bookmarks
To: For discussions about marketing and expanding the Fedora user base
<marketing@lists.fedoraproject.org>
X-BeenThere: marketing@lists.fedoraproject.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: For discussions about marketing and expanding the Fedora user base
<marketing@lists.fedoraproject.org>
List-Id: For discussions about marketing and expanding the Fedora user base
<marketing.lists.fedoraproject.org>
List-Unsubscribe: <https://admin.fedoraproject.org/mailman/listinfo/marketing>,
<mailto:marketing-request@lists.fedoraproject.org?subject=unsubscrib e>
List-Archive: <http://lists.fedoraproject.org/pipermail/marketing>
List-Post: <mailto:marketing@lists.fedoraproject.org>
List-Help: <mailto:marketing-request@lists.fedoraproject.org?subject=help>
List-Subscribe: <https://admin.fedoraproject.org/mailman/listinfo/marketing>,
<mailto:marketing-request@lists.fedoraproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="==============�94116847884860592=="
Sender: marketing-bounces@lists.fedoraproject.org
Errors-To: marketing-bounces@lists.fedoraproject.org

--==============�94116847884860592=Content-Type: multipart/alternative; boundary1636c931cab558a40481ddfc1f

--001636c931cab558a40481ddfc1f
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I thing about something. Why we don't include in the fedora-bookmarks the
websites of local community. Like when someone install the package for
Brazilian-Portuguese, other package with our websites in that language will
be include in their bookmarks.

--
Wolnei C�ido Tomazelli Junior (Charged)
Brazil Fedora Ambassador
Telecommunications Engineer
Linux User #477062

--001636c931cab558a40481ddfc1f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I thing about something. Why we don't include in the fedora-bookmarks the websites of local community. Like when someone install the package for Brazilian-Portuguese, other package with our websites in that language will be include in their bookmarks.<br clear="all">

<br>-- <br>Wolnei C�ido Tomazelli Junior (Charged)<br>Brazil Fedora Ambassador<br>Telecommunications Engineer<br>Linux User #477062<br><br>

--001636c931cab558a40481ddfc1f--

--==============�94116847884860592=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
marketing mailing list
marketing@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/marketing
--==============�94116847884860592==--
 
Old 03-15-2010, 08:59 PM
Allan McRae
 
Default Arch Linux security is still poor....

On 16/03/10 07:43, Ananda Samaddar wrote:

On Tue, 16 Mar 2010 07:29:45 +1000
Allan McRae<allan@archlinux.org> wrote:


As an aside, I would like to see some numbers on where we could
improve in this area. I have been following the CVE announcements
and several other distros security releases for the past few months
and from what I see, I believe Arch is mostly ahead of the game.
Following the latest upstream releases has its advantages.

Allan



This may be true in the sense that by using the latest packages we are
incorporating security fixes as they are released by default. I take
issue with the fact that there's no dedicated team and nothing in place
to deal with security alerts.


There is no dedicated team, but as I said, we appear to be mostly ahead
of the game in this respect. I would be interested to see how many
packages suffer from security issues that we miss.



The other issue being the lack of signed packages.


Providing code is the way to fix this. There is a good start that has
been made and it mostly needs someone dedicated to finish it off.



I don't know how much of a problem this is for other Arch
users.

Would there be any enthusiasm for a dedicated security team? I feel
strongly enough about it that if something can't be done then I'm
switching to another distro. Despite the fact that I really like Arch,
it's one deficiency is a pretty glaring one in my opinion. I hope this
doesn't turn into a flamefest and my opinions are by no means meant to
be a slight on the Arch devs or community.


Sure there is enthusiasm for such a venture, at least judging by how
many times this has been bought up in the past. I think one or two of
those times an actual project started up but then died. So it appears
enthusiasm yes, continual motivation no (at least up until now...).


And, this is a great candidate for a community project. A group could
monitor security issues and file bugs to get the devs to fix them. This
is the way all Arch projects start and if they are useful, they may get
taken on board and made official.


Allan
 
Old 03-15-2010, 09:03 PM
Ananda Samaddar
 
Default Arch Linux security is still poor....

On Mon, 15 Mar 2010 14:56:32 -0700
Thayer Williams <thayerw@gmail.com> wrote:
>
> No offence taken and FWIW a lot of people switch distros because of
> one or two fundamental needs that aren't meant. This wouldn't be any
> different.
>
> Look forward to hearing what you have to say...

I'd like to help get things moving before I give up on Arch. It's too
good a distro not to.

I've been having a look at the Gentoo security policy here:

http://www.gentoo.org/security/en/vulnerability-policy.xml

It looks like a pretty good template we could adapt to our needs. The
document in that link is licensed under a Creative Commons attribution
licence. It mirrors a lot of the things I was going to suggest too.

Ananda
 

Thread Tools




All times are GMT. The time now is 11:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org