ALSTF (Arch Linux Security Task Force)?
On 06/12/2010 10:06 AM, Marek Kozlowski wrote:
> I've found such a topic when browsing the Wiki:
> Well, sound like a very smart idea. IMHO it's a thing that makes a
> distro more 'prestigious' -- it's quite difficult to convince someone to
> using a distro for something more than just a testing workstation if
> it's security is, let's say... 'unknown'. Unfortunately there *are* some
> regressions in the upstream that make the latest stable releases
> vulnerable. In fact it's the main reason that prevents my faculty from
> switching from Gentoo and log-time compilations to simple and KISS-ing
> Arch. Any work toward ALSTF in the recent past?
After reading the wiki page it seems that at least the part of keeping
with the latest _stable_ upstream release is already followed (within
reasonable limits not to break stuff for everyone), if not then lots of
families will cry, scream and ask why package foo hasn't been updated to
the latest upstream release :P
On the other hand, the security business seems to be a full time job,
Arch's devs already donate a considerable time to maintain Arch and keep
things running smoothly, I am very grateful for that and in my opinion
they do a great job and it is selfish to ask them to do even more.
The other side of things, and I've seen it popping up here and in the
forums, is the use of selinux and similar security measures. People that
have opted to use Arch because of it's philosophy are most probably
people that really want to have a grasp of how things work and want to
know how to solve problems, therefore typically they don't bite more
than they can chew and start simple.
>From my very limited experience, selinux is not easy to manage unless
you really know what you are doing and most users do not ask for it so
devs and TU's don't spend time maintainning something that no one uses.
My guess is that if you really need these features and peace of mind you
have two options, either start the effort to maintain it within Arch, if
you have the time and feel up to it, or use another distro in your
critical machines that provides these features for you. I guess that up
until now no one felt capable of tackling this task or the itch wasn't
that bad :P