usr_devx - too much stripping ?

[jmarsden]

That's part of being an independent distribution, it seems to me. Puppy's small size keeps it more manageable (300+ packages) than larger distributions with thousands of packages. Thirty or so developers maintaining an average of ten packages each is all it will take, and some packages are very small and simple indeed.

i really dont see how this could come true i think that if we dont use a "stronger base" its very likley that this will never happen even if it where just 300 packages. i dont even see enough people here for maintaining the gnubase(glibc,binutils,gcc..)

How many security patches for binutils and gcc have been released in the last couple of years that were significant enough to force major distributions to issue updated packages between releases? How many for for coreutils or diffutils or bash or find for that matter? I suspect the answer is either "none" or "very few"! Which means that the burden of maintaining Puppy source packages for those kinds of things is likely to be fairly low. System libs like glibc are, of course, going to take more work to maintain. One really 'interesting' one to maintain from a security perspective may be Xorg, since AFAIK it is not designed to be run as root, but Puppy runs it as root... but let's not discuss that right now!

Right now, Puppy uses fairly old versions of many packages and has no established security update team, nor a mechanism for distributing such updates to users. It seems to me that using more current sources and then working towards having assigned package maintainers is a step forward for Puppy. We won't know whether it is doable until we try it. Even if we end up with only 5 people doing all the package maintenance, that is probably still a useful improvement in scalability and long term viability compared to Barry doing everything himself!

Jonathan

[flavour]

Puppy users don't generally need to worry about security updates as much as many other distros for 2 reasons:
(1) not often multi-user
- hence locally-exploitable holes are (almost) irrelevant
(2) not often a public-facing server
- hence remote attackers have nothing to target

The 1 area that needs attention is the apps that access remote servers
- particularly browsers (e.g. Firefox when that's present) & e-mail clients.

Of course, it doesn't hurt to keep other stuff refreshed as/when possible...but mostly that should be the job of the 3rd-party packagers, such as SSHd (which is critical for my own version...)

F

[flavour]

Puppy users don't generally need to worry about security updates as much as many other distros for 2 reasons:
(1) not often multi-user
- hence locally-exploitable holes are (almost) irrelevant
(2) not often a public-facing server
- hence remote attackers have nothing to target

The 1 area that needs attention is the apps that access remote servers
- particularly browsers (e.g. Firefox when that's present) & e-mail clients.

Of course, it doesn't hurt to keep other stuff refreshed as/when possible...but mostly that should be the job of the 3rd-party packagers, such as SSHd (which is critical for my own version...)

F

[cncuser...]

jmarsden wrote:
>Right now, Puppy uses fairly old versions of many packages and has no
>established security update team, nor a mechanism for distributing such
>updates to users. It seems to me that using more current sources and then
>working towards having assigned package maintainers is a step forward for

well, if every package has its maintainer then i too think it would be best.

>Puppy. We won't know whether it is doable until we try it. Even if we end up
> with only 5 people doing all the package maintenance, that is probably still
>a useful improvement in scalability and long term viability compared to
>Barry doing everything himself!

maybe. id rather compare it to using rocklinux or debian sourcepackages.
they for shure are maintained activly. and the scalability and longterm-
vialibility would be even bigger in my opionion. whatever

going to study rocklinux tonight.

cu

[Guest]

flavour wrote:
>Puppy users don't generally need to worry about security updates as much
>as many other distros for 2 reasons:
>(1) not often multi-user
>- hence locally-exploitable holes are (almost) irrelevant
>(2) not often a public-facing server
>- hence remote attackers have nothing to target
>
nice view. but not realistic. puppy users have to be even more
frightenend. they most of the time run each and every app
with root privileges..."and one two three, a rootkit to thee".
there have been numerous exploits for gaim and firefox in the past.
also ive been stepping over some network enabled apps (wiki, some
timetracker..) which of course could be a remote attackers target.

>
>The 1 area that needs attention is the apps that access remote servers
>- particularly browsers (e.g. Firefox when that's present) & e-mail clients.

partly true. but every mp3 every jpg every piece of external data
beeing interpreted by some software on puppy could be the target
for a exploit.

EXCLUSION: PUPPY USERS DO HAVE TO WORRY MORE ABOUT
SECURITY THEN USERS OF MAJOR DISTRUBUTIONS. IMHO

[Pizzasgood]

Root root root. Trees make extensive use of roots, and they're just fine. My roots extend across the Atlantic ocean to Germany, Ireland, and Scotland. I'm still standing. Mountains are also said to have roots.

In my opinion, there are specific areas where the root issue is a problem. Running a webserver, for example. Or multi-user situations.

Neglecting accidental deletion, being a user would limit me more than protecting me. My data, which is what is important, is still just as vulnerable. The OS files can be replaced easily. Especially with Puppy. But that essay I wrote can't. Neither can that wallpaper I drew, or my 242 megabyte wallpaper collection. I care MUCH more about them. But does being a user protect them? Nope. So, being a user offers me no protection.


Another thing to consider is the Puppy Factor. Puppies are tough little guys. Especially Aussie Pups. They have boot scripts that you CAN'T alter without remastering. Any altered or removed files from /usr can be fixed by removing it form /root/.usr. /root/ and /etc are the only other directories you can edit. The rest are INVINCIBLE! /root/ (your home directory) would be vulnerable as a user too, it would just be called /home/pizzasgood/ instead. So /etc is the only thing left particularly vulnerable.

Puppy is also easy to back up, just make a copy of the pup001 file. That backs up the ENTIRE thing. Puppy is also easy to reinstall. As Lobster frequently mentions, he can be on the net after three minutes of inserting the disk and booting.


If you ask me, the all the above make Puppy one tough little penguin. And that's not taking into account the option of running entirely in the ramdisk for the truly paranoid, or multisession for archives of EVERY USE, which makes it very easy to go back and find backups. Then there is the somewhat unknown quality, which adds a small bit to Puppy's hide. Not much, but it's there none the less.

[cnc]

pizzasgood wrote:
.....
>Another thing to consider is the Puppy Factor. Puppies are tough little guys.
>Especially Aussie Pups. They have boot scripts that you CAN'T alter without
>remastering. Any altered or removed files from /usr can be fixed by
>removing it form /root/.usr. /root/ and /etc are the only other directories
>you can edit. The rest are INVINCIBLE! /root/ (your home directory) would
>be vulnerable as a user too, it would just be called /home/pizzasgood/
>instead. So /etc is the only thing left particularly vulnerable.

what do you mean with invincible ? full write access to all (raw)devices ?
i dont get you :)

>If you ask me, the all the above make Puppy one tough little penguin.
>And that's not taking into account the option of running entirely in the
>ramdisk for the truly paranoid, or multisession for archives of EVERY
>USE, which makes it very easy to go back and find backups. Then there
>is the somewhat unknown quality, which adds a small bit to Puppy's hide.
> Not much, but it's there none the less.

shure a system running of a readonly medium isnt vulnerable to
manipulation of files. your are also right that runnning entirely from
ramdisk would not do any harm thats not undoable by rebooting :)

maybe i am old school believing in the seperation of 0 and the others.
but it served me well till now.

i played around with vserver and usermodelinux in the past. now that
i discovered unionfs via puppy, i can imagine some really comfortable
puppy cages that keeps flees of the "delicate" parts.

[Pizzasgood]

what do you mean with invincible ? full write access to all (raw)devices ?
i dont get you

I mean changes aren't saved. Just reboot and BAM! All is well. Only /root, /etc, and /usr are writable, and /usr is only partially so. Plus, certain scripts in /etc get copied fresh out of image.gz with each boot, so changes to them aren't kept either.

[cncuse]

>I mean changes aren't saved. Just reboot and BAM! All is well. Only /root,
>/etc, and /usr are writable, and /usr is only partially so. Plus, certain scripts
>in /etc get copied fresh out of image.gz with each boot, so changes to them
>aren't kept either.

looks like you believe good luck.

[cncuse]

and before i forget.

mountains dont have roots. imho they been pushed up and or
washed out by water, fire and ice

next time i hope i remeber to talk about uid:0.

root seems to be a little to confusing for some.