The Trusted Debian project aims to create a highly secure but usable Linux platform. To accomplish this, the project will use currently available security solutions for Linux (like kernel patches, compiler patches, security related programs and techniques) and knit these together to a highly secure Linux platform. The first official Trusted Debian beta release, v0.9 is now available.
Trusted Debian Releases Public Beta
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
How does this differ from a regularely updated Mandrake with the secure kernel?
No how does it compare to Debian Woody…which IMHO is much more secure and stable than anything mandrake could ever put out. I mean if you have the security updates in ur sources.list, aren’t you pretty much covered? I just don’t see the need for a more secure version of a distro that is already probably the most secure distro out there.
The comparison to Debian Woody is definitely a good one. I honestly don’t see why this distribution is being created. It doesn’t seem like there is any definable difference between it and Debian itself.
You apparently haven’t visited the site. It seems like there a good number of kernel patches and sensible security measures that are being placed on a standard woody install.
Basically they’re taking a distribution that is patched so it contains no known exploits and then hammering down the hatches to close of exploits that are unknown to th community but possibly known to black-hats.
For instance, from what I could tell they have recompiled packages so that buffer overflow exploits are less likely to be possible. Also they want to implement PID and IP randomization (what that exactly is I’m not sure).
This is great.
Though I find it strange that they are using PaX seperately, why not use GRSecurity… it also has PaX integrated, along with many other patches.
skaeight: “I mean if you have the security updates in ur sources.list, aren’t you pretty much covered?”
In my expierience wrong user behaviour is still security risc number one, not defective software.
skaeight: “I mean if you have the security updates in ur sources.list, aren’t you pretty much covered?”
No. Run Bastille (http://www.bastille-linux.org/) sometime on a fresh install and see all the suggestions it makes.
If you are aking these questions, this release is not targeted toward you. There is a big difference between a patched system and a patched system designed for security.
Most of the comments on Trusted Debian are wrong, they assume things which are not true.
It is true that bugs get fixed and packages get uploaded to security.debian.org. It does not mean that your system is free of security related problems. Software is buggy and you can fix software as many times as you want, it will still be buggy.
The OpenBSD people have been fixing software for years now and even they have been embarrased by break-ins. In other words, fixing is good, but it is not sufficient.
There are many patches and other things available for Linux which reduce the risk and/or the impact of break-ins. Noone uses them. Why? Heck, I don’t know, fact is: Noone does. And that is why the Trusted Debian project was started, to provide everyone who wants to easy to install security and hopefully force other distribution makers from following this.
If you look at OpenBSD, which has to hold up a reputation regarding security, they have added similar functionality to protect data from being executed (which is what PaX does in Trusted Debian), they added IP-Sec VPN support (FreeS/WAN for TD), they are using the stack protector GCC patch for their upcoming 3.3 release (TD uses it too) and they have access control in the form of systrace (where TD will use RSBAC). The OpenBSD people do not just spend time adding this functionality for nothing and neither is the Trusted Debian project.
RSBAC offers much more than the TPE and ACLs in gr-security, so that is why PaX was choosen instead of gr-security.
Usability is an important aspect of the Trusted Debian project, for the reason given here: Human error is the biggest security risk.
And I want to make the system secure in such a way that noone needs to run scripts like Bastille.