Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 03 Apr 2015 01:09:39 -0400
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: membership request  to the closed linux-distros
 security mailing list

On 02/04/15 07:43 PM, Seth Arnold wrote:
> On Fri, Mar 20, 2015 at 02:00:29PM +0100, Sona Sarmadi wrote:
>> On behalf of Enea  Software AB, I would like to request membership to
>> the closed linux-distros security mailing list.
> 
> Speaking strictly for myself, I'm still somewhat skeptical; the security
> announce archives http://mail.lists.enea.com/pipermail/security-announce/
> do show some security updates, but (guessing) 15% of the actual patch
> links I tried to follow no longer exist.
> 
> Furthermore, the advisories all suggest downloading patches via http and
> offer no mechanism to validate the patches before applying them. Consider
> this recent advisory:
> http://mail.lists.enea.com/pipermail/security-announce/20150326/000064.html
> 
> - there's no gpg signature on this advisory
> - there's no cryptographic checksums in the advisory to authenticate
>   the patch even if the advisory were signed
> - there's no ascii-armored signatures in the patches
> - there's no detached signatures at
>   http://linux.enea.com/5.0-beta-m400/patches/
>   or at
>   http://linux.enea.com/4.0/patches/
> 
> If downloading patches and applying them by hand is really the
> distribution model Enea has chosen, then it feels like the provenance
> of updates is seriously lacking.
> 
> In my opinion, until some more of the security basics are covered,
> joining linux-distros@ is premature.

I guess Ubuntu has to be dropped from the linux-distros then, because
www.ubuntu.com appears to be http-only and the ISO download is entirely
insecure. The security notices are also served insecurely there:

http://www.ubuntu.com/usn/

Am I missing something... ? It doesn't make much sense to criticize this
when you folks are doing the same. I do get the impression that Enea
Linux is handling security poorly (where are all of the other issues?)
but this bothered me.


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ