[packman] Packman security policy questions

Aniruddha mailing_list at orange.nl
Sat Nov 3 12:41:02 CET 2007 

On Sat, 2007-11-03 at 12:23 +0100, Pascal Bleser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Aniruddha wrote:
> > I am planning to support openSUSE 10.3 for both companies an home users.
> > I have found the Packman repository irreplaceable to get openSUSE
> > working in all it's glory. Thank you for that.
> > 
> > Now on with the more serious questions. My basic question is; I do trust
> > you guys, but
> 
> > how good are your security policies?
> 
> None. Or, well, when we see that there's a bugfix, security fix or newer
> release available, we package it as quickly as possible.
> 
> > Is the original source checked for signs of malware?
> 
> No, we trust upstream. Just like 99% of all the packagers of all the
> distributions.
> 
> > What is your policy for security fixes?
> 
> We apply them ASAP when we find out about them. It's not really a policy
> either.
> 
> > Who monitors them?
> 
> Every member of the Packman team has his set of packages that he takes
> care of. And it's up to each of them to monitor them. Some are on a few
> mailing-lists to catch release announcements as quickly as possible.
> Myself, I just check freshmeat.net (and a few other sites) a few times a
> day to be informed about new releases of the few hundred packages I
> maintain.
> 
> > What is the maximum response time if a vulnerability is discovered?
> 
> No idea, we don't have any support policy. Could be a few days in worst
> case I guess.

Thanks you for all your answers

> I don't know what world you're living in but we're not paid to do this,
> we do it during our spare time, and it's a considerable effort and
> amount of time, health, and commitment going into this from every single
> member of the team. It's totally unrealistic and just plain impossible
> for us to provide SLAs, maximum response time guarantees or whatever.
> Get real.
> 
> If you want a really secure environment (_if_ you actually need that
> level of paranoia), then only use the packages that come with the
> distribution.
> 
> And as the Subversion team likes to put it: "patches are welcome"

Pascal, in the world I live people don't regards questions as personal
attacks. Nor do they feel the need to talk in a demeaning manner. How
tempting it might be I am not going to lower myself to this level of
discussion.

I own my own IT company, I have to know 100% certain what I offer my
costumers. Companies rely on me for a good solid advice. Operating
systems are just a tool for me, nothing more.

Apparently openSUSE/SLED doesn't offer the solution I need. That's fine
with me. I'll just go on and advice another 'tool' that does offer the
kind of security I need. 

Gentoo for example is 100% free, it's entirely maintained by volunteers,
and has the highest security standards in the industry:
http://www.gentoo.org/doc/en/security/index.xml
http://www.gentoo.org/security/en/index.xml
http://www.gentoo.org/security/en/vulnerability-policy.xml
http://www.gentoo.org/security/en/coordinator_guide.xml

Besides Gentoo there is Ubuntu/Debian/FreeBSD which shows that it is
possible to make a very secure distribution with only volunteers.





-- 
Regards,

Aniruddha

More information about the Packman mailing list