View Issue Details

IDProjectCategoryView StatusLast Update
0000040administrationsecuritypublic2005-02-23 16:15
Reporterherrold 
PrioritylowSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformOtherOSotherOS Version
Product Versionunspecified 
Target VersionFixed in Version 
Summary0000040: caos-security package now needed
DescriptionPage content presently states:

Security
 
/ Security

cAos has some features built into the design that will make it inhearantly more
secure (rather current) then many of the other available distributions. The
first has to do with the fact that this is a community project. The second is
the version scheme that we are building. It does not require us to backport
fixes (except for several core packages) and allows us to respond quickly to the
needs of the community. Lastly it has to do with some architectural features
(ie. security meta RPMS) that will force a system to not have any known insecure
software installed.

There will always be debate on what is more secure. Community or comercial
software. Each has their benefits and drawbacks, but without the religious
debate and only stating the obvious, community code has more eyes watching it.
Bugs are found more often and publically. This means that the code develops
faster, and it is more important to keep the system current.

So why is cAos a good solution? Once again it is because of the nature of the
Open Source community. When commercial Linux distributors have a severe
vulnerability, they usually wait for the maintainer (a community memeber) to fix
it, and then repackage it for the OS. By allowing the package maintainers to
update the distribution themselves (as done in cAos), this removes the extra step.

Something else to note is that for comercial reasons, many of the distibution
companies don't like to update the versions of the code base in a particular
released version. This means that all fixes must be backports, and code hacks.
This adds a high potential for latency in the final release. The cAos version
scheme is designed to allow fast updates, incorporating a testing, Q/A, and
package signing stage.

cAos also includes a security meta RPM. The meta RPM is an RPM that does not
include any files, but rather specifies other packages that it conflicts with.
For example, openssh-3.1 is known vulnerable. The current security RPM can
specify that it conflicts with openssh <= 3.1. To install the security meta RPM,
you must either have openssh upgraded to a non-vulnerable version -or- remove it
from the system!

The security META RPMS are the best update choice for servers or stable systems.
While the entire repository may be moving forward, updating only the security
RPM will cause a cascade of events updating the packages that have known
vulnerabilities, rather then all packages in the repository.

cAos is the only (at this time) distribution using META RPMS in this fashion.

================================================= content ends

GP-1 needs to have the security tracking package added; all cAos releases need
to have this added to the release Checklist as a Requirement in caos-release.

Initially a meta package called 'caos-security' is needed.

RPH to write formal design Version and Release numbering
RPH to post one for incorporation
TagsNo tags attached.

Activities

herrold

herrold

2005-02-23 16:15

reporter   ~0000161

Last edited: 1970-01-01 00:00

long since overtaken by events - closing

Issue History

Date Modified Username Field Change
2005-02-23 16:15 herrold Status NEW => RESOLVED
2005-02-23 16:15 herrold Resolution => FIXED