Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: Boyd Lynn Gerber <gerberb@xxxxxxxxx>
  • Date: Thu, 1 Nov 2007 12:15:42 -0600
  • Message-id: <Pine.LNX.4.64.0711011207521.30397@xxxxxxxxxxxxxxx>
On Thu, 1 Nov 2007, Aniruddha wrote:
On Thu, 2007-11-01 at 10:36 -0600, Boyd Lynn Gerber wrote:
Off course it it is doable (see Debian/Gentoo/FreeBSD/Ubuntu) who
support up to 22000 packages. the only question is how ;)

Every Distribution/Unix/Linux variant has constraints. I have seen
exploits in all of them. Someone has to do the programming and checking.
There are not enought paid people on any of the Distribution or OS's to
really bring security to a C2 level(US). Novell/SUSE has done a lot in
getting security to a great level. Many of the packages in the 22000 have
not had a security audit. You still have to trust. I have worked with
the Devs on all the BSD variants. Just because they are in the
distribution does not make them more secure. I know. I have placed
reports and the authors have acknowlegded that no security audit has been
preformed. So please do not make general noise about how great the
security is. It is not there.

Interesting view from the inside :). I can imagine that devs don't have
time for a full fledged security audit (reviewing all code manually).
And I don't think this is necessary, correct me if I am wrong. Are your
only experienced with 'BSD or also with Gentoo/Debian?

All the various *BSD's and Debian, a little Gentoo, but mainly SUSE. A
audit is necessary for C2. It even requires the HW to be auditted. The
cert is for exactly the system.


--
Boyd Gerber <gerberb@xxxxxxxxx>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups