[ubuntu-hardened] Re: Any progress on hardening Ubuntu?

Sun Oct 9 16:50:01 CDT 2005

On dom, 2005-10-09 at 23:04 +0300, Timo Aaltonen wrote:
> On Sun, 9 Oct 2005, Magnus Therning wrote:
> 
> > Sorry for the cross-post but there's been *very* little action on
> > ubuntu-hardened since May (one email, from my :) and I wanted a slightly
> > larger audience.
> >
> > Has any work been done on what was written in the spec
> > (http://pearls.tuxedo-es.org/ubuntu/ubuntu-hardened-spec-20050503.pdf)?
> 
> maybe these pages are of interest:
> 
> https://wiki.ubuntu.com/UbuntuHardened
> https://wiki.ubuntu.com/ProactiveSecurity
> https://wiki.ubuntu.com/ProactiveSecurityRoadmap

I hadn't time to send anything to the list but so far, progress has been
made regarding vSecurity. I've done packages which need some fixes but
are mostly ready to get into Universe if Martin (pitti) feels OK with
it.

One of the reasons, among th fact that I'm quite busy with school right
now, is that I'm finishing the implementation of CapOver-like features
with help from a third-party, and thus, there's no point on pushing the
packages (after fixing the little issues left) without such new features
if we can finish and test them soon.

Also, I couldn't send information about it, but gcc-4 comes now with IBM
Stack Smashing Protector (aka ProPolice) support. It was accepted by
upstream and thus, we don't need to work that by ourselves anymore.

Regarding SELinux, as I commented to some fellows around, I'm waiting
for the forthcoming policy modules which will help greatly with it's
implementation. By now I'll try to arrange the targeted policy package
as a bounty after finishing the vSecurity stuff and then prepare an
updated policy package.

I don't have plans to provide source packages for the policy (by
default), so, I'll bring up a package with a ready-to-use compiled
policy (probably v18, as we are still on 2.6.12 in Breezy). This can
sound confusing, but we should give it a try.

I apologize, once again, for the delay on talking about the project
status and giving out news and advice about it, but I've been certainly
busy in these last months.

Last but not least, Debian has been accepting changes related to
user-land SELinux support and I'll try to come with a short summary
explaining what's "merged" and what's left.

Sincerely, I want to note also that I need more people volunteering on
this. I can't develop, write specifications, write schedules, code,
package and do politics at the same time. If I have to do everything, I
can't focuse on any specific task and thus, there's no way to get
anything done correctly. At most, I can do two things at same time, but
nothing more. Above that limit, I just can't work in a reliable manner,
and that's a dead end for a project like this one, which really needs
team work.

Help is needed for maintaining accurate information online (updates and
changes are planned for http://www.debian-hardened.org and I'm seeking
for people to work all-together in it), managing schedules and also
packaging work. People willing to contribute but *not just eventually*.
It would be really nice to see some kind of "official support", that is,
involvement of "official members" ofthe Ubuntu Linux community, but I'm
sure they already have *lots* of work to do.

Best is to explain all the details in a meeting, so, I propose to
arrange one in the IRC, either in OFTC or FreeNode network. I will be
able to get around for this next weekend or this Tuesday night. Channel
is #ubuntu-hardened.

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo at gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20051009/f56a30dc/attachment.pgp