[opensuse] Re: Carelessness busts Linux security
Le 11/12/2009 07:56, Basil Chupin a écrit :
The question raised in the kubuntu forum also did not attract a response from those offering kubuntu to its audience. The security question there also remains unanswered - the same as here I have to say.
I don't really understand your concern. As long as (some) user can install things as root, they can install malware. It's nearly impossible to have an heuristic detecting malware before they do they (bad) job. Fact is AFAIK such malware are very qhickly detected and removed when they come and never spread the world (like shows the thread that was quoted here) what do you want more? jdd -- http://www.dodin.net http://valerie.dodin.org http://news.opensuse.org/2009/04/13/people-of-opensuse-jean-daniel-dodin/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/12/09 18:46, jdd-gmane wrote:
Le 11/12/2009 07:56, Basil Chupin a écrit :
The question raised in the kubuntu forum also did not attract a response from those offering kubuntu to its audience. The security question there also remains unanswered - the same as here I have to say.
I don't really understand your concern.
As long as (some) user can install things as root, they can install malware. It's nearly impossible to have an heuristic detecting malware before they do they (bad) job.
Fact is AFAIK such malware are very qhickly detected and removed when they come and never spread the world (like shows the thread that was quoted here)
what do you want more?
jdd
Have you read and understood what was stated in that kubuntu forum posting? Have you understood what I am asking/questioning here? Novell/openSUSE has pushed out the development of oS unto "the community" - the "Build Service" - and any upgrades to the oS are installed with zypper or YaST which ask for root privileges before being implemented. As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review. And by the time the review is made the damage to some system is done -- but Linux keeps claiming, or at least not coming forward to dispel the impression, that users hold that Linux is not vulnerable to security breaches. The only mantra I keep hearing is that only someone with root access can do anything to a Linux system - but a while back, in this forum, there was a statement which stated that permissions can be altered even if they were within the user's home directory -- but this is where the discussion stopped because noone wanted to carry on with this topic any further. However, if I am wrong then I would dearly love to hear from some OFFICIAL in Novell/openSUSE - and not from - and I mean *no* offence here in any form or shape - someone called "jdd-gmane" who comes from "gmane.org" - whatever that may be. BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Have you read and understood what was stated in that kubuntu forum posting?
Have you understood what I am asking/questioning here?
Novell/openSUSE has pushed out the development of oS unto "the community" - the "Build Service" - and any upgrades to the oS are installed with zypper or YaST which ask for root privileges before being implemented.
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review. And by the time the review is made the damage to some system is done -- but Linux keeps claiming, or at least not coming forward to dispel the impression, that users hold that Linux is not vulnerable to security breaches.
For sources to be included in the openSUSE Factory and openSUSE release they have to pass 2-3 review steps. - The packager itself who submits the package. (You probably assume he might be malicious). - The reviewing maintainer in the Development Projects of openSUSE Factory. - The build team who finally checks in the sources into openSUSE Factory. Things could be slipped by those 2 additional reviewers with enough subterfugue or obfuscation. The rest of the openSUSE buildservice repositories are of course under the control of the people maintaining those projects/repos. So if you install stuff from home:kevinmitnick:something the "kevinmitnick" user is totally in control of what is contained there, be it evil or good. We (as openSUSE project or Novell) do not control that. So in the end you should apply varying degrees of trust to different OBS projects. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/12/09 20:51, Marcus Meissner wrote:
Have you read and understood what was stated in that kubuntu forum posting?
Have you understood what I am asking/questioning here?
Novell/openSUSE has pushed out the development of oS unto "the community" - the "Build Service" - and any upgrades to the oS are installed with zypper or YaST which ask for root privileges before being implemented.
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review. And by the time the review is made the damage to some system is done -- but Linux keeps claiming, or at least not coming forward to dispel the impression, that users hold that Linux is not vulnerable to security breaches.
For sources to be included in the openSUSE Factory and openSUSE release they have to pass 2-3 review steps.
- The packager itself who submits the package.
(You probably assume he might be malicious).
NEVER! Wouldn't dream of doing this....unless it is a nightmare :-) .
- The reviewing maintainer in the Development Projects of openSUSE Factory.
- The build team who finally checks in the sources into openSUSE Factory.
Things could be slipped by those 2 additional reviewers with enough subterfugue or obfuscation.
The rest of the openSUSE buildservice repositories are of course under the control of the people maintaining those projects/repos.
So if you install stuff from home:kevinmitnick:something the "kevinmitnick" user is totally in control of what is contained there, be it evil or good. We (as openSUSE project or Novell) do not control that.
So in the end you should apply varying degrees of trust to different OBS projects.
Ciao, Marcus
Many thanks, Marcus, for your response. Taking into account all that you said above, the most important thing which I would like to pin down is: is the claim that Linux is 'secure' and is "unhackable" and that while MS and Mac are vulnerable to hackers etc something like openSUSE is NOT - unless, of course, a Window's emulator is being run on the OS in which case of course normal security crappola used for Windows has to be taken to avoid viruses, trojans, etc and etc and etc.
From your response, and from other responses I have read, it seems that all these responses are skirting around this very basic question of security: is openSUSE impenetrable or not?
OK, the Packager, the Development Project team member, the Build Team can each cock-up and let through a "nasty". Fine. But are you implying that if this should happen then the Linux system we are running is not as wonderful as it is made out to be by some people and can, therefore, suffer the same hernia as any MS or Apple OS now can suffer from malware? Yep, I've heard the arguments that Linux is now safe simply because all the attention is being paid to MS/Mac systems because they are the most popular, bs, bs, bs - but that Linux OSs are immune from all the "nasties" which plague the MS/Mac OSs. Yep, and I also have heard that there is no system which cannot be penetrated and that while at the moment things are "safe" there is nothing to say that a week, or so, from now someone will not come up with a way to circumvent security. However, with Linux, because there are many, many eyes examining the code - unlike the proprietary OSs - Linux OSs remains and will remain 'secure'. But the bottom line is: have we been all living with the misconception put about by Linux fanatics that Linux systems are secure, unlike MS/Mac systems, and therefore we can go to sleep peacefully every night without a worry in the world ? :-) . BC (PS. Somehow I feel that we have had a similar 'conversation' some time ago (~2 years ago?)) -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Dec 11, 2009 at 11:27:38PM +1100, Basil Chupin wrote:
On 11/12/09 20:51, Marcus Meissner wrote:
Have you read and understood what was stated in that kubuntu forum posting?
Have you understood what I am asking/questioning here?
Novell/openSUSE has pushed out the development of oS unto "the community" - the "Build Service" - and any upgrades to the oS are installed with zypper or YaST which ask for root privileges before being implemented.
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review. And by the time the review is made the damage to some system is done -- but Linux keeps claiming, or at least not coming forward to dispel the impression, that users hold that Linux is not vulnerable to security breaches.
For sources to be included in the openSUSE Factory and openSUSE release they have to pass 2-3 review steps.
- The packager itself who submits the package.
(You probably assume he might be malicious).
NEVER! Wouldn't dream of doing this....unless it is a nightmare :-) .
- The reviewing maintainer in the Development Projects of openSUSE Factory.
- The build team who finally checks in the sources into openSUSE Factory.
Things could be slipped by those 2 additional reviewers with enough subterfugue or obfuscation.
The rest of the openSUSE buildservice repositories are of course under the control of the people maintaining those projects/repos.
So if you install stuff from home:kevinmitnick:something the "kevinmitnick" user is totally in control of what is contained there, be it evil or good. We (as openSUSE project or Novell) do not control that.
So in the end you should apply varying degrees of trust to different OBS projects.
Ciao, Marcus
Many thanks, Marcus, for your response.
Taking into account all that you said above, the most important thing which I would like to pin down is: is the claim that Linux is 'secure' and is "unhackable" and that while MS and Mac are vulnerable to hackers etc something like openSUSE is NOT - unless, of course, a Window's emulator is being run on the OS in which case of course normal security crappola used for Windows has to be taken to avoid viruses, trojans, etc and etc and etc.
From your response, and from other responses I have read, it seems that all these responses are skirting around this very basic question of security: is openSUSE impenetrable or not?
OK, the Packager, the Development Project team member, the Build Team can each cock-up and let through a "nasty". Fine. But are you implying that if this should happen then the Linux system we are running is not as wonderful as it is made out to be by some people and can, therefore, suffer the same hernia as any MS or Apple OS now can suffer from malware?
Yep, I've heard the arguments that Linux is now safe simply because all the attention is being paid to MS/Mac systems because they are the most popular, bs, bs, bs - but that Linux OSs are immune from all the "nasties" which plague the MS/Mac OSs.
Yep, and I also have heard that there is no system which cannot be penetrated and that while at the moment things are "safe" there is nothing to say that a week, or so, from now someone will not come up with a way to circumvent security. However, with Linux, because there are many, many eyes examining the code - unlike the proprietary OSs - Linux OSs remains and will remain 'secure'.
But the bottom line is: have we been all living with the misconception put about by Linux fanatics that Linux systems are secure, unlike MS/Mac systems, and therefore we can go to sleep peacefully every night without a worry in the world ? :-) .
Well, the general thing here is that if you install Software from person X person X can gain total control of your system. This is not new. That installing software is so easy these days and commonly done and suggested makes it more dangerous for the unexperienced administrator, who now needs to know which sources he can trust and which he cannot. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/12/09 23:46, Marcus Meissner wrote:
On Fri, Dec 11, 2009 at 11:27:38PM +1100, Basil Chupin wrote:
[pruned]
Yep, and I also have heard that there is no system which cannot be penetrated and that while at the moment things are "safe" there is nothing to say that a week, or so, from now someone will not come up with a way to circumvent security. However, with Linux, because there are many, many eyes examining the code - unlike the proprietary OSs - Linux OSs remains and will remain 'secure'.
But the bottom line is: have we been all living with the misconception put about by Linux fanatics that Linux systems are secure, unlike MS/Mac systems, and therefore we can go to sleep peacefully every night without a worry in the world ? :-) .
Well, the general thing here is that if you install Software from person X person X can gain total control of your system. This is not new.
That installing software is so easy these days and commonly done and suggested makes it more dangerous for the unexperienced administrator, who now needs to know which sources he can trust and which he cannot.
Ciao, Marcus
Fine, Markus, thanks for this - which I fully understand. Ok, the whole thing may be more dangerous for the inexperienced administrator, but what does it then become for the ordinary punter, the Joe-in-street, like myself? "Cataclysmic", "Disasterous", "Calamitous"? :-) The punter in the street installs oS then goes to Repositories and finds "openSUSE Build Service" where he also finds a repo covering the enhancement s/he is interested in; s/he selects it and then installs the software from it. This repo (or list of repos) is not only in a list provided by the vendor of oS but s/he expects that there is nothing to fear because s/he has heard time and time again that a Linux system is "Mr/s Security incarnate"...... Alright....enough, already :-) . The folk using MS/Apple have a thriving industry creating for their users software which is supposed to protect them from all sorts of nasties. May we now expect such a industry arising with respect to Linux-based systems? Is AppArmor designed to be the beginning of such protection for oS (I cannot find any dox for AppArmor in 11.2 for what it is supposed to do)? BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-12-12 at 17:15 +1100, Basil Chupin wrote:
Is AppArmor designed to be the beginning of such protection for oS (I cannot find any dox for AppArmor in 11.2 for what it is supposed to do)?
No, AA can not protect you from a trojan. AA protects the system from a previously configured program doing something outside it limits. Say, you install a text browser. Then you set up an AA profile for that program (it is not done out of the box). If, one day, that text browser tries to open a shell, and this is not an action defined in the profile, it will be stopped. If it tries, say, to read a security log, and this is not allwed in the profile, it will be stopped. AA only protects those programs (services, normally) that have been profiled in advance. For example, it can list all actions the mail daemon should be allowed to do. If a hacker comes and finds a hole into that daemon and tries to do something not allowed in advance, it will be stopped. However, if the hole does allow him a root shell... all bets are off. But the profile should not allow a root shell, anyway. The only thing that can protects you from a trojan, is knowing in advance that it is a trojan and not installing it. Which means, not ever installing anything outside what /you/ define as secure sources. An antivirus? Well, it will warn you if the malware is already known... not for a new malware. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksjcGwACgkQtTMYHG2NR9UmHgCfdwuM/jxxzopfUAz8b3wz/iX3 rJgAnRgyRGgfyybUeEzTZFjSEIKIx626 =a3WM -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 12/12/09 21:28, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Saturday, 2009-12-12 at 17:15 +1100, Basil Chupin wrote:
Is AppArmor designed to be the beginning of such protection for oS (I cannot find any dox for AppArmor in 11.2 for what it is supposed to do)?
No, AA can not protect you from a trojan.
AA protects the system from a previously configured program doing something outside it limits.
Say, you install a text browser. Then you set up an AA profile for that program (it is not done out of the box). If, one day, that text browser tries to open a shell, and this is not an action defined in the profile, it will be stopped. If it tries, say, to read a security log, and this is not allwed in the profile, it will be stopped.
AA only protects those programs (services, normally) that have been profiled in advance. For example, it can list all actions the mail daemon should be allowed to do. If a hacker comes and finds a hole into that daemon and tries to do something not allowed in advance, it will be stopped.
Thanks Carlos for this explanation. One can then say that - at a streeetttch - AppArmor is the primitive beginning of an attempt to come up with a protection system from malware for openSUSE. No? :-)
However, if the hole does allow him a root shell... all bets are off. But the profile should not allow a root shell, anyway.
The only thing that can protects you from a trojan, is knowing in advance that it is a trojan and not installing it. Which means, not ever installing anything outside what /you/ define as secure sources.
Aah, but this is what I have asking about. In all cases for someone who has just installed oS - and even someone who has been using oS for some time - there is a list of repos which provide software for oS. A user selects such a repo because it indicates that it has the file/apps s/he needs to be able to do "A". As a "newbie" I consider that the repos showing in YaST's Repositories are secure - afterall they are listed in my (anticipated to be so) favourite distro.....and on top of all this I have been constantly bombarded by Linux people 'shouting' that Linux is DAMN-WELL SECURE!!........ You getting the drift of what I am saying... :-) ?
An antivirus? Well, it will warn you if the malware is already known... not for a new malware.
Absolutely correct. You can catch only what is known about but not the unknown. However, having said this, I remember way back in 1990/1 when the author of the BBS software I was running posted a message to all Sysops (of his software) that he was having dinner with some friends the night before and, during a discussion about security and virii, his wife asked a question. The result of this question made him, overnight, sit down and write protection for - not known at that time but what is now known as - the polymorphic virus. So it is possible to preempt nasties.... BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, Dec 13, 2009 at 04:18:35PM +1100, Basil Chupin wrote:
On 12/12/09 21:28, Carlos E. R. wrote:
The only thing that can protects you from a trojan, is knowing in advance that it is a trojan and not installing it. Which means, not ever installing anything outside what /you/ define as secure sources.
[...] As a "newbie" I consider that the repos showing in YaST's Repositories are secure - afterall they are listed in my (anticipated to be so) favourite distro.....and on top of all this I have been constantly bombarded by Linux people 'shouting' that Linux is DAMN-WELL SECURE!!........
You getting the drift of what I am saying... :-) ?
Yes: You're talking about a user who does not know anything (which is ok) and who's unable/unwilling to think (which is a reliable way into desaster). In any way, there's security, and there's paranoia. You seem to think there's a way to take care of the latter. There is, but not for simple end users, not at a cheap price (not even for very large values of "cheap"), and usually involving at least 5cm (2in) of air between network connector and network cable (no wlan). No root password, but two armed guards at the door. Security is about trust, and you need to know whom you want to trust if you are thinking about security (which is a good idea, IMHO). Talking about openSUSE, you need to trust the openSUSE team, those people assembling the basic openSUSE system. Plus all the upstream development processes. Next in line are the Community Repositories. Those listed in yast2 are what I would call reasonably safe. But they're optional, and if your security approach leans towards paranoia you can omit them. At the end of the line there are software packages from sites like real1ycoo1w4rez.com, and if you trust them, well... Bottom line, if you automatically believe everything people tell (or shout at) you, I have a really nice car to sell you, almost as good as new, a real bargain! Rasmus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-12-13 at 16:18 +1100, Basil Chupin wrote:
On 12/12/09 21:28, Carlos E. R. wrote:
Thanks Carlos for this explanation.
One can then say that - at a streeetttch - AppArmor is the primitive beginning of an attempt to come up with a protection system from malware for openSUSE. No? :-)
No, AA is a mature solution to protect from some types of attack. Another tool in the toolchest.
The only thing that can protects you from a trojan, is knowing in advance that it is a trojan and not installing it. Which means, not ever installing anything outside what /you/ define as secure sources.
Aah, but this is what I have asking about. In all cases for someone who has just installed oS - and even someone who has been using oS for some time - there is a list of repos which provide software for oS. A user selects such a repo because it indicates that it has the file/apps s/he needs to be able to do "A".
As a "newbie" I consider that the repos showing in YaST's Repositories are secure - afterall they are listed in my (anticipated to be so) favourite distro.....and on top of all this I have been constantly bombarded by Linux people 'shouting' that Linux is DAMN-WELL SECURE!!........
You getting the drift of what I am saying... :-) ?
Linux is more secure than windows. That is a fact. Absolutely secure? No way. That's impossible. Human ingenuity and stupidity always find ways to break things.
An antivirus? Well, it will warn you if the malware is already known... not for a new malware.
Absolutely correct.
You can catch only what is known about but not the unknown.
However, having said this, I remember way back in 1990/1 when the author of the BBS software I was running posted a message to all Sysops (of his software) that he was having dinner with some friends the night before and, during a discussion about security and virii, his wife asked a question. The result of this question made him, overnight, sit down and write protection for - not known at that time but what is now known as - the polymorphic virus. So it is possible to preempt nasties....
Some. A polymorphic is a type. A completely new virus is always unknown. What you can do is stop some of the actions that malware attempts to do, specially when using the system as plain user. However, if you are installing software as root (obviously), all protections are off. Root is powerful... Notice that installing a piece of software by root or admin is no different in windows or in linux. You have to trust the author or packager/distributor of that software. You are in their hands... - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksk8+UACgkQtTMYHG2NR9UIIwCfW+zgYPhhYh+CpaH9FSU6HmGD MdwAn0qCV09+w8dcCDKKNLGr7if3zBMg =mq8w -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
On Saturday, 2009-12-12 at 17:15 +1100, Basil Chupin wrote:
Is AppArmor designed to be the beginning of such protection for oS (I cannot find any dox for AppArmor in 11.2 for what it is supposed to do)?
No, AA can not protect you from a trojan.
AA protects the system from a previously configured program doing something outside it limits.
Say, you install a text browser. Then you set up an AA profile for that program (it is not done out of the box). If, one day, that text browser tries to open a shell, and this is not an action defined in the profile, it will be stopped. If it tries, say, to read a security log, and this is not allwed in the profile, it will be stopped.
AA only protects those programs (services, normally) that have been profiled in advance.
No, you can set up a very restrictive system that will only allow what has been previously configured. Besides, AppArmor doesn't protect programs, it protects your system against programs. /Per -- Per Jessen, Zürich (0.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Have you understood what I am asking/questioning here?
It is clear that you do not understand the issue and are trolling for a catastrophe.
Novell/openSUSE has pushed out the development of oS unto "the community" - the "Build Service" - and any upgrades to the oS are
INCORRECT! The Open Source openSUSE project "pushed out" the distribution.
installed with zypper or YaST which ask for root privileges before being implemented.
All of which are digitally signed by the packager - and do not include misc. crap from gnome-art.
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review.
There is no other way to check "benevolence". And stop saying "Novell/openSUSE", it is "openSUSE".
And by the time the review is made the damage to some system is done -- but Linux keeps claiming, or at least not coming forward to dispel the impression, that users hold that Linux is not vulnerable to security breaches.
This issue does not demonstrate a security breach. Don't install unsigned packages or packages created by untrusted developers.
The only mantra I keep hearing is that only someone with root access can do anything to a Linux system - but a while back, in this forum, there was a statement which stated that permissions can be altered even if they were within the user's home directory -- but this is where the discussion stopped because noone wanted to carry on with this topic any further.
There is no topic to carry on.
However, if I am wrong then I would dearly love to hear from some OFFICIAL in Novell/openSUSE
Get lost troll.
- and not from - and I mean *no* offence here in any form or shape - someone called "jdd-gmane" who comes from "gmane.org" - whatever that may be.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/12/09 22:24, Adam Tauno Williams wrote:
Have you understood what I am asking/questioning here?
It is clear that you do not understand the issue and are trolling for a catastrophe.
Go away! Go and play in the traffic. When you really understand what is being discussed, come back. BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review.
There is no other way to check "benevolence". And stop saying "Novell/openSUSE", it is "openSUSE".
This isn't appropriate for the thread nor this list, so apologies in advance and please move any continuation to opensuse-project: Adam, I am with Basil on this one - of course it's "Novell/openSUSE", not just "openSUSE". There are far too many "dotted" lines to Novell for that to be even remotely true. It's difficult to even use the term "project" when we barely know who does what and when. /Per -- Per Jessen, Zürich (0.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 12/12/09 00:13, Per Jessen wrote:
Adam Tauno Williams wrote:
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review.
There is no other way to check "benevolence". And stop saying "Novell/openSUSE", it is "openSUSE".
This isn't appropriate for the thread nor this list, so apologies in advance and please move any continuation to opensuse-project:
Adam, I am with Basil on this one - of course it's "Novell/openSUSE", not just "openSUSE". There are far too many "dotted" lines to Novell for that to be even remotely true. It's difficult to even use the term "project" when we barely know who does what and when.
/Per
I always knew that you weren't "just a pretty face". :-) BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 11 December 2009 03:24:25 am Adam Tauno Williams wrote:
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review.
There is no other way to check "benevolence". And stop saying "Novell/openSUSE", it is "openSUSE".
Please visit http://www.opensuse.org/en/ Scroll down. All the way. Report back the last three words on that page. Report back who has the copyright on that page. -- A computer without Microsoft is like a chocolate cake without mustard. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 12/12/09 13:21, John Andersen wrote:
On Friday 11 December 2009 03:24:25 am Adam Tauno Williams wrote:
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review.
There is no other way to check "benevolence". And stop saying "Novell/openSUSE", it is "openSUSE".
Please visit http://www.opensuse.org/en/ Scroll down. All the way.
Report back the last three words on that page. Report back who has the copyright on that page.
Ah, what I just to Per also applies to you. :-) BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Basil Chupin wrote:
However, if I am wrong then I would dearly love to hear from some OFFICIAL in Novell/openSUSE - and not from - and I mean *no* offence here in any form or shape - someone called "jdd-gmane" who comes from "gmane.org" - whatever that may be.
http://gmane.org/ - a very useful tool by Lars Ingebrigtsen, IIRC. /Per -- Per Jessen, Zürich (0.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 12/12/09 00:00, Per Jessen wrote:
Basil Chupin wrote:
However, if I am wrong then I would dearly love to hear from some OFFICIAL in Novell/openSUSE - and not from - and I mean *no* offence here in any form or shape - someone called "jdd-gmane" who comes from "gmane.org" - whatever that may be.
http://gmane.org/ - a very useful tool by Lars Ingebrigtsen, IIRC.
/Per
I received a similarly worded private, off the list, message from another person. My response to that, and which is now the same to your posting here, is that I have read many, many, messages from people who "have been around" oS/Linux for a long time - but they can also come up with crap. The analogy about those arguing for and against climate warming which I mentioned stands. My post specifically refers to "OFFICIAL...Novell/openSUSE" response. I can see quite a number of people using the "opensuse.org" in their e-mail address - such as Patrick - but I do not think that that would constitute an "official" response from Novell/openSUSE :-D . So far Marcus has responded, and I accept his responses. BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-12-13 at 17:55 +1100, Basil Chupin wrote: ...
My post specifically refers to "OFFICIAL...Novell/openSUSE" response.
I can see quite a number of people using the "opensuse.org" in their e-mail address - such as Patrick - but I do not think that that would constitute an "official" response from Novell/openSUSE :-D .
So far Marcus has responded, and I accept his responses.
Yes, but it is not an "official" response from the company he works for >:-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksk+ZAACgkQtTMYHG2NR9XKHgCfc8YMbkasxUXA8KbZK9pwIqbm KvIAnixbfjkCxvtKz+nYrahqoIqEhyDE =VyCH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 11 Dec 2009 20:24:07 +1100, you wrote:
Novell/openSUSE has pushed out the development of oS unto "the community" - the "Build Service" - and any upgrades to the oS are installed with zypper or YaST which ask for root privileges before being implemented.
And will only install packaged signed with a known key. If it doesn't know the key it asks you for confirmation to install that key. If you install that without checking the fingerprint, you're on your own.
As far as I am aware Novell/openSUSE have no way of checking the benevolence of what is produced in BS - except by user peer-review.
And by the time the review is made the damage to some system is done
If you install from some random home project (those with the home: in the project name) you're not better off then downloading the tarball from some random unknown site, compiling and then installing it. From any other source in the BS you have to remember that nothing goes into them without approval from its maintainers.
Linux keeps claiming, or at least not coming forward to dispel the impression, that users hold that Linux is not vulnerable to security breaches.
Nobody has claimed something like it. Of cause it is vulnerable, but it is by far less vulnerable than other OSs.
they were within the user's home directory -- but this is where the discussion stopped because noone wanted to carry on with this topic any further.
On a sanely configured system noboby has access outside his or her home directory, period!
However, if I am wrong then I would dearly love to hear from some OFFICIAL in Novell/openSUSE - and not from - and I mean *no* offence here in any form or shape - someone called "jdd-gmane" who comes from "gmane.org" - whatever that may be.
Though I am an employee of SUSE I'm in no position to be able to officially speak for SUSE. But do ask over on openSUSE-security, which is the right list for such questions. You should be able to reach our security folks over there. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 11 December 2009 01:24:07 am Basil Chupin wrote:
The only mantra I keep hearing is that only someone with root access can do anything to a Linux system - but a while back, in this forum, there was a statement which stated that permissions can be altered even if they were within the user's home directory -- but this is where the discussion stopped because noone wanted to carry on with this topic any further.
Well maybe it had already become a long boring rant by then. However, this is what SELinux is all about, as best as I understand. With it you can even control the user's ability to install executables in their own directory which would be quite nice for things like corporate machines. I've been meaning to take another look at SELinux, the last time I looked it was a bit of a major hack to get all the Access control lists established. -- A computer without Microsoft is like a chocolate cake without mustard. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2009-12-11 at 18:17 -0800, John Andersen wrote:
On Friday 11 December 2009 01:24:07 am Basil Chupin wrote:
The only mantra I keep hearing is that only someone with root access can do anything to a Linux system - but a while back, in this forum, there was a statement which stated that permissions can be altered even if they were within the user's home directory -- but this is where the discussion stopped because noone wanted to carry on with this topic any further. Well maybe it had already become a long boring rant by then.
+1. Aw, heck, +5
However, this is what SELinux is all about, as best as I understand. With it you can even control the user's ability to install executables in their own directory which would be quite nice for things like corporate machines.
Or mount /home as "noexec" [which is normal for fileservers]. man mount
I've been meaning to take another look at SELinux, the last time I looked it was a bit of a major hack to get all the Access control lists established.
There is all App Armour. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (10)
-
Adam Tauno Williams -
Basil Chupin -
Carlos E. R. -
Carlos E. R. -
jdd-gmane -
John Andersen -
Marcus Meissner -
Per Jessen -
Philipp Thomas -
Rasmus Plewe