Hardened Lunar Linux

Zbigniew Luszpinski zbiggy at o2.pl
Fri Mar 9 19:34:56 CET 2007 

Thursday 08 of March 2007 19:32:31 Jean Michel Bruenn wrote:

> I was thinking about a hardened moonbase or
> perhaps special module names. For example:
>
> 	binutils-hd
> 	coreutils-hd
> 	xx-hd
> 	etc.
>
> Or simply a moonbase called hd-moonbase. I would like to know, what u
> would think about this.

Hardened moonbase looks interesting.
I think it would be better to have separate hd-moonbase with *-hd named 
modules (or just flag inside details). Such diversification is good for some 
reasons:
1) security reasons (better control of system by having knowledge and tools to 
gather status of modules installed (hardened/not hardened). In security 
enhanced system non-hardened modules are not welcome and probably sysadmin 
will would like to scan installed modules list for the items not meeting this 
requirement (to find possible weaknesses/holes). Maybe download via https or 
secure ftp from secured server over encrypted connection would be another 
argument for separate moonbase-hd file.
2) comfortable maintenance (hd moonbase and hd flags help to distinguish 
modules in tree and discussion about them)
3) most average users (like me) does not need hardening at home machines and 
prefer more comfortable use vs more less friendly hardened system.
4) smaller downloads when there are two moonbases (for two different purposes 
and machine destinations)
5) moonbase-hd as serious, security related project needs very detailed module 
review by several top level devs with long experience (not only one!), I do 
not know if our community is big enough to handle this. There must be some 
monitoring of security websites for rapid security patches implementation and 
testing (less than few hours reaction time is a must!)
6) Lunar as being source based distribution and having some years of 
development by introducing moonbase-hd can pay attention of big organisations 
which not only requires distro iso but also team ready to provide services 
described in #5 point. The team have to be ready to solve security related 
problems when there is not any official patch available.

> Why do i ask for special modules or a second moonbase? Cause: Not everyone
> wants to use those patches. Not everyone needs them. This patches and
> so changed modules are especially useful for ppl who wants a secured
> system. Thats why i don't want to just submit these patches to the modules
> in the working moonbase everyone uses.

That's right.

> Tell me your opinion - If it's interested i can send the modules so that
> ppl can try it out.

Just my 2 cents. 

> Cheers
> Jean

zbiggy

More information about the Lunar-dev mailing list