Linux Distribution with auditing of packages
I have been out of the UNIX world for some time preoccupied with real life problems. I'm interested in getting a home system up and running, but having difficulties deciding on a base platform.
I am leaning towards a Linux, versus a BSD due to the tremendous amount of employers seeking people with that technology. However, I am attracted to the auditing performed on packages on the BSD end, particularly NetBSD/OpenBSD. Is there a Linux distribution that performs auditing of third party packages? I understand there are some commercial distributions, but wonder if they are more reactive than proactive? Thanks for your time and support in digging into this decision! Regards, stonee |
Please be specific. There are a number of different audits conducted on packages in the BSDs that also apply to gnu/linux distros.
|
I am not familiar with the actual testing/auditing done. These are two links that I've been able to gather from the sites:
http://www.netbsd.org/about/features.html#security http://www.openbsd.org/security.html#process As you can see, I am very much in the dark and scratching the surface. If some type of comparison is available or additional details can be provided it would be very much appreciated. In terms of my specific usage, I am unclear but certainly plan on setting up a multitude of services for my own pleasure and advancement. This is probably not to receive much traffic, but I don't think that this should mean that quality, stability, and security are not important. I don't just want to install something. In the near future I may be living in a moderately high crime area, and need to somewhat rely on a surveillance system for peace of mind and safety. |
link1 - manual code audits - they look through the kernel code for exploits.
link2 - dedicated team of 6 people looking for bugs in key files. Both are talking about auditing the source code. OK: linux kernel project has 1000s of people auditing the code, including top academics around the world and phd students wo get to write a paper on it if they discover something ... so they are motivated. Individual projects will use different methods. Core systems get similar treatment. The two BSDs in your example tend towards a Cathedral development model. http://catb.org/~esr/writings/cathedral-bazaar/ The gnu/linux projects are strongly biased to the bazaar model, and so tend to be more reactive in terms of bug fixes ... the user is also the auditor. This is usually fine because the bugfixes occur very fast, in general, compared with other models. I think the jury is still out about which methods gets you the most secure code in practise. GNU/Linux distros respond to the variability in the wider community by having hierarchies or repositories where core files undergo additional development, including bugfixing, before they get included, and others allow a range of tested third-party code if you want that stuff. |
After some research, it seems that OpenBSD may be the only OS that performs auditing of packages. EnGarde does the next best thing by attempting to provide a safe, minimally configured environment with SELinux. Moreover, EnGarde ships without X11.
The Owl linux distribution also looks awfully appetizing, since it does package auditing of networked packages. But the lack of a general community and momentum steers me away. It seems like a secluded group of people making an OS. It may require extensive verification. Who knows what interesting surprises are found there with the extensive modification on the behalf of the skillful developers? I'll need to look over these development models as soon as I get a chance! I've seen this mentioned here and there, but never really read over the essay. |
Interesting post, I'm also wondering if there's an OS that audits packages.
Quote:
Code:
* bsd - This is the Kernel. Required Code:
Because the OpenBSD project does not have the resources to fully review the source code of all software in the ports tree... |
All times are GMT -5. The time now is 12:16 AM. |