Delivery-Date: Mon, 24 Aug 2015 13:51:16 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 7BC881E0D5A;
	Mon, 24 Aug 2015 13:51:14 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id A456D3731A;
	Mon, 24 Aug 2015 17:51:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 5CED8372F6
 for <tor-talk@lists.torproject.org>; Mon, 24 Aug 2015 17:51:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id vNLipZZmIRbB for <tor-talk@lists.torproject.org>;
 Mon, 24 Aug 2015 17:51:04 +0000 (UTC)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com
 [209.85.212.182])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 0EBF3372E2
 for <tor-talk@lists.torproject.org>; Mon, 24 Aug 2015 17:51:04 +0000 (UTC)
Received: by wicja10 with SMTP id ja10so79111451wic.1
 for <tor-talk@lists.torproject.org>; Mon, 24 Aug 2015 10:51:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:content-type;
 bh=w06Nj1wUzh3ticj5iLKvfT7NtJbnnNMG9M++ukGe2s4=;
 b=mmlw/xL4FR4mQV50nuHT6zB4xr9N8ebAGbgyAyfJs7wKXLAawcBX20Y5y6iA5z+bqZ
 C+35bdr0ttwADvz0tsvgrpzE1BrJ1S3CM7D0j7Lc1G9sfYp3aqQbJdMCbe4jJ1c2T2gW
 ayIDzk1eT4qWyBRHlPLikip4v9Nw2XZRfO8wQevDG5qCCwNDkGwTrvFSt05OJCYVck8r
 O9zeMFZwhWtWOAxkHvM2O06rkvKZogDgl8NxHq2Hu05I1d57fX76sTXAdq/egPFblOTd
 p7Nbmgmnt1eNvE9yv7usvnIUtikajsTvL4+GN6RrLcpoHGpNOno2UOw9wuY0z9MUOBtP
 aOCQ==
X-Gm-Message-State: ALoCoQm2LsIggv3jsMO8DlxMGkvadt6rpdw6PrMA8pph7nKWgGUievvIcAnf1ggP0c1ksIMrxznI
MIME-Version: 1.0
X-Received: by 10.194.179.37 with SMTP id dd5mr40924474wjc.129.1440438659990; 
 Mon, 24 Aug 2015 10:50:59 -0700 (PDT)
Received: by 10.28.41.133 with HTTP; Mon, 24 Aug 2015 10:50:59 -0700 (PDT)
X-Originating-IP: [89.105.194.80]
In-Reply-To: <CAAgxajG4_R8oG-kmkGQ76pPSU38CECzzngLQ=WSTJaFOGDT0cA@mail.gmail.com>
References: <d577fdcf7971a1f4df14c3044b172b5a@openmailbox.org>
 <CAAgxajE8WRoz3hAZrVLL4H2OoaXnLG094XJR-4cgKoV_vjt=nA@mail.gmail.com>
 <CAKkunMaTLJpRrJZhO-ES+qXQmNYLBkuJ3A3PH=jX3tYTr8hS1g@mail.gmail.com>
 <CAFggDF0LSc9qPTtE5qb0tMEtGLsrJayG-djuD0wyGavhcQuHWw@mail.gmail.com>
 <CAAgxajG4_R8oG-kmkGQ76pPSU38CECzzngLQ=WSTJaFOGDT0cA@mail.gmail.com>
Date: Mon, 24 Aug 2015 17:50:59 +0000
Message-ID: <CAFggDF2UjkD1ameSLVohio8N8TKuGYUjVCPFUESCa6xabOsFew@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] What's to be Done
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hi,

On 8/24/15, Apple Apple <djjdjdjdjdjdjd32@gmail.com> wrote:
> It's not a Debian specific problem. Even "Security Conscious" distros like
> Fedora only build a dozen or so key packages with pic and ssp because of
> performance concerns. Address sanatizor is obviously out of the question.

I think that this is where we'll find an advantage with Subgraph - who
is basically going to do the right thing with security all around.
They are basing a lot of their work on Debian, so I suspect some - if
not all - will be folded back into the mainline.

>
> Then of course Linux does not have proper ASLR without 3rd party kernel
> patches anyway making pie pretty pointless.

That's part of why you'd want grsec....

>
> There is a good article out there on why rsbac does not use lsm, I
> recommend you read it if you do not understand the current security vs
> performance dynamic within Linux. You should also read up on the history of
> Pax and ask why it is not in the mainline Linux tree.
>

I understand the major bits and I've talked with Spender a bit about
things we could do to ship useful configurations for a kernel.

> For whoever asked about previous Debian specific attempts I suggest you
> look into a project called mempo, now defunct of course.
>

I'm familiar with mempo - it is defunct because they did not actually
take the time to work on integrating it with Debian properly. They did
their own thing and it was nearly impossible for even interested
parties to review it. Very sad but shows the importance of taking the
harder Debian direction of travel if we want Debian's sustainability.

> Given what I've said above we return to my original point. No mainstream
> distro, especially Debian, is willing to pay the cost (mostly performance)
> for adding meaningful security. If your plan is to try to bulldoze all this
> stuff into Debian testing, that's not going to work...

My plan is to ensure that we improve a number of things - we won't get
ASAN for every package in the archive by defaut, obviously. We will
finally have rpc turned off by default and we will have a grsec
enabled kernel as an option. That is a starting point and it is an
incremental improvement. For everything else, I think we'll see an
uptick in SubgraphOS users that fold positive things back into Debian
proper.

All the best,
Jacob
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

