Mailinglist Archive: opensuse-factory (1029 mails)

< Previous Next >
Re: [opensuse-factory] Re: [opensuse] Re: What happened to dovecot?
On Fri, Nov 29, 2013 at 3:20 AM, L.A. Walsh <suse@xxxxxxxxx> wrote:
On 11/28/2013 1:13 PM, Claudio Freire wrote:

Standard or not, it's the kind of security mechanism that takes so
much effort and knowledge to properly set up, that it HAS to be set up
by the distribution, and by default, to be of any value.

Then why are firewalls 3rd party applications? They can be just
as hard to configure.

They're not. Linux firewalls live in the kernel, and default linux
installs (especially openSUSE) have included properly configured
firewalls for years.
Maybe you're thinking windows.

Besides, I didn't say unconfigured and uninstalled. I made a clear
distinction to have it setup, but allow changing the standard to be a choice
made by the user. Even if it was as little as a question during setup --
so they made a positive choice to choose the non-standard security policy --
would be enough.

Well, firing up yast and turning it off isn't rocket science, but
sure, an option somewhere on the advanced install procedure couldn't

So are you saying, or do you believe that if you don't force the
policy on users, it won't be of any value?

Pretty much.

Ie: regular users, and that includes many developers, anyone not
specialized in linux security in fact, don't really know how to
configure something like AppArmor or SELinux, and if they know, they
don't want to have to spend the time to do it on every installation.

For the ones that do not know, having it on by default is a necessity,
since they won't even think of turning it on. And those are probably
over 90% of the target audience.

And in this field (security), statistics matter. Securing 1% of the
target audience is worth nothing, well, unless that 1% happens to work
on a nuclear reactor or something critical like that. But having a
good chunk of the install base vulnerable just encourages botnet
proliferation, and that's a problem for us all.

Either you are saying no one wants it because it has only
had niche testing and you need the opensuse community as guinea pigs to get
the testing done more than to 'niche' level,

Ehm... no, not saying that. Not even close.

or you are saying That the existing
security mechanism = no security and that linux has never had any security
apparmor arrived.

Neither that. Though closer.

Um...I don't think your statement makes sense.

Whatever. We have a saying.

No hay mejor sordo que el que no quiere oír.

SELinux is built-in by default. If they want SELinux, has it been
with AppArmor?

SELinux and AppArmor were developed in parallel IIRC, ie: they're two
technologies with the same aim.

I don't think they're exclusive technically speaking (ie: with a lot
of love they could be made to work together), but I do believe they're
not intended to coexist.

There's also the Biba+Bell La-Padula security models
embodied in
Smack. It has had the benefit of being a tried and true method for DOD
since the 80's.

I wouldn't use them as role models. Nor the others you mention.

As for it possibly only protecting niche users -- maybe only niche
users need
that level of protection -- vs. the accompanying problems of programs not

Most common error of those that don't know about security.

Security isn't an individual thing.

Generally, you don't let other people log onto your computer. If
they have gotten that far, that's bad. AppArmor, is more for internal
threats initiated from the computer
on parts of itself.

Nope, AppArmor is for damage contention. WHEN some of your apps'
security gets breached, AppArmor stops it from spreading harm.

That type of security policy might be more useful in
computers FROM the USERS... Turning it on by default, certainly indicates
an unwillingness
to even give users a choice of what security mechanisms they want on their

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups