Is Debian the gold standard for Linux security?

Also in today's open source roundup: DistroWatch reviews Apricity OS 07.2016, and 10 big improvements in Android 7.0 Nougat

Is Debian the gold standard for Linux security?

Security is an important priority for all users, even those who run Linux as their preferred operating system. One redditor wondered in a recent discussion thread if Debian should be considered the gold standard for Linux security.

ZombieWithLasers started the discussion with these observations and questions:

I’ve noticed that Debian tends to come up a lot when talking about security on Linux. It seems to be the go-to distribution when anyone talks about security and privacy. Many of the white hat and security focused distributions use it as their base, including Kali and Tails. The EFF has recommended it on several occasions, and it was even thanked in the credits of Citizen Four. Is it really that much more secure than other distributions?

I understand there being concern around corporate distributions like RHEL, SUSE, and Ubuntu, even if those concerns aren’t founded. The open source/FLOSS community has always had some mistrust of corporations. What about distributions like Arch, Gentoo, and Slackware? Arch is even a member of the same non-profit as Debian.

There are other considerations too, like GRSecurity and Systemd. By most accounts, GRSecurity is better than SELinux, yet it is only really offered by Gentoo and Arch in their main repositories. Why don’t they carry some added security reputation for it? Systemd is a more complicated issue. Opinions will range from it being way more secure than previous init solutions to it being produced by the NSA themselves to create vulnerabilities in Linux. The verifiable issue I see is the size of it. It’s well known that the smaller and less complex the software is, the less opportunity there is for strange bugs and vulnerabilities to surface. On that, it would seem that lighter weight alternatives have a slight edge in security. Again, this goes in favor of distros like Gentoo, Void, and Slackware.

So what is it about Debian, then? Is it the reputation alone? Is it because they work well with the community and organizations like the FSF? Is it more an issue that Debian is easier to recommend? I certainly wouldn’t recommend Gentoo to a new user and expect them to be secure. I’m honestly curious. Is there some secret X factor that Debian has that I’m missing? Is it really the gold standard in Linux security?

More at Reddit

His fellow Linux redditors responded with their thoughts about Debian and security:

Daemonpenguin: “I don’t think I have ever heard Debian being referred to as particuarly good at security. Not that Debian is bad at it, but I’ve never known anyone to choose to use Debian because of a security feature. Nor have I ever heard that Debian has an outstanding reputation for security.

I think the OP is looking at distros which are security focused, seeing they are based on Debian and assuming it is because Debian is ultra secure. That is probably not the case. Projects like Tails and Kali likely use Debian as a base because it’s relatively easy to re-spin Debian. Debian makes a for a very stable, open base. It’s easy to extend and customize Debian and a lot of examples to follow.

So Tails is probably Debian-based because of the ease of working with Debian as a platform, not because it has special security features.

Things like cgroups (systemd) and SELinux are a completely different subject and can be used with just about any distro.”

Silvernostrils: “You never defined security, you can “hack” a flip-flop circuit with a timed pulse and make it flop-flip, does that mean it’s insecure ? I mean against who/what do you want o protect yourself.

Also complexity and scale aren’t the only factors, the rate of change and available resources, also are. If you have more eye’s looking at the code or slower changes and hence more time to look at the code you also reduce the risk of mistakes.

If you reduce complexity and scale, you may get a rebound effect where the freed up resources are not spend on better code quality or more code review, but on faster iterations. I’m not sure if you aren’t just going to speed up the race, do you intent to outrun your opponents ?

Also I’m not sure about fuzzers or narrow-AI attacks, and what is more difficult for those to digest. And whether we won’t end up having a contest piping code through ever more elaborate and expensive defence measures. How much compute power are we willing to sacrifice ? Is this going to be an economic battle ?

Debian has always been very cautious/deliberate very stable and very trustworthy, and it’s comparably easy to use for the security it provides. Also the community is big, so it’s more likely that somebody notices shenanigans.

If you look at SEL vs GR, than there is also momentum, and cost of transition, if i switch from SEL to GR there will be a time-frame where my lack of experience configuring GR will cause a temporary drop in security.”

Tscs37: “In terms of attack surface, you might be looking at Alpine Linux being “most secure” by default, since it has basically a non-existent attack surface on top of using a hardened kernel and tools by default.

On the other hand, no distro is really “secure” by default. They are all vulnerable to attacks in some way, the best what you can do is choose one you’re comfy with, install a hardened kernel, keep up-to-date on CVE’s and keep your head below the firing line.”

Boomboomsubban: “It maintains a stable base and works hard backporting security fixes, updates introduce potential risks that they try to wait out. GRsecurity is usable on Debian, the patched kernel is in the repos and you can compile it yourself if you want. And their decision making process is incredibly transparent, which comforts people if nothing else.”

Jijfjeunsisheumeu: “Debian Security is bollocks for so many reasons, ranging from the use of glibc to a non hardened toolchain being used to simply the fact that there have been multiple instances where Debian’s aggressive policy of patching and forking packages has created security vulnerabilities that did not exist upstream.

The latter is a really big problem, unless it’s absolutely necessary, deviating from upstream is a security nightmare where you don’t know any more what vulnerabilities stuff may or may have. If a critical fix is to be there, it needs to be a backport of an upstream patch.

If you want to use a Linux kernel and want security, really, go Hardened Gentoo, there is no competitor. Yeah, you can get a similar thing on Debian by recompiling your system yourself with hardened flags but the package manager will be of no assistance to you.”

Cbmuser: “Debian is constantly working on hardening. Next step is enabling -fPIE by default and using a signed kernel image. We’ve been doing hardening for quite a while now.

Also, unlike Gentoo, we’ve already switched to gcc–6 and have professional maintainers for toolchain, glibc and kernel (paid by companies).

Debian has reproducible builds and is widely used on the interwebs and supported by companies like Bytemark and HP Enterprise.

You are poorly informed.”

Twiggy99999: “If you read the internet (I do) every distro is the most secure, the thing is with Linux everyone’s chosen distro is the best and all the others “suck dude”. In away they are correct, every distro could be the most secure depending on how its been set-up, whats installed as standard etc etc. Debian is okay out of the box but you can easily make it much less secure as you can with any distro but there’s also things you can do to make it much more secure. I really don’t think there is a right or wrong answer here.”

Passthejoe: “I use Fedora because you can easily encrypt a full Linux installation that is installed as a dual-boot system with Windows. Debian only easily allows full encryption if it is the sole SO on the drive.

I say “easily” because I’m sure it’s possible to so these things in the Debian installer, but it’s probably super hackish and not easy.

That said, doing a fully encrypted Debian installation when it is the sole OS is very easy, and it is a great thing that makes Debian a great choice for the security-conscious.”

Ilikerackmounts: “Gentoo by the nature of having variable compiler flags can make it less susceptible to ROP chaining(but certainly but bulletproof). It also had a hardened profile with hardened use flags. However, I’d say a distros that at least attempts to harden itself would be centos/fedora/rhel with out of the box configured selinux profiles.

That being said, there have been a number of humbling snafus for all distros to prevent the bold claim for being security focused, that last of which has been vulnerabilities within the package managers.”

More at Reddit

DistroWatch reviews Apricity OS 07.2016

Apricity OS is a distribution based on Arch Linux that offers the ICE site specific browser. ICE makes it easy to integrate web apps into the desktop experience. DistroWatch has a full review of Apricity OS 07.2016.

Jesse Smith reports for DistroWatch:

I hesitate to make any sweeping statements about Apricity, its strengths and it weaknesses as I only got to use my installed copy of the operating system in a limited capacity. Almost all of my brief time with the distribution was spent running it from a live disc. That being said, despite my installed copy of Apricity failing to give me a desktop session, most of what I experienced this week I liked.

Apricity had some features I didn’t care for. The indistinct window borders weren’t ideal, but it’s possible to change the theme and experiment with different desktop styles. I don’t like using the Totem media player, but there are plenty others to choose from in the repositories.

I do like that Apricity ships with a lot of software without much duplication. There tends to be one program per task available and the distribution covers a lot of tasks. Everything from gaming with Steam to a productivity suite to multimedia codecs is included. A new user can jump into just about anything other than video editing with the default applications available. I especially liked that Syncthing was installed as it is a tool I hope sees more wide-spread use, both for setting up backups and for sharing files.

All in all, I like what Apricity is trying to do. The project is relatively new and off to a good start. There are some rough edges, but not many and I think the distribution will appeal to a lot of people, especially those who want to run a rolling release operating system with a very easy initial set up.

More at DistroWatch

10 big improvements in Android 7.0 Nougat

Android 7.0 Nougat might be the best version of Android yet. But what sets it apart from previous releases of Google’s mobile operating system? A writer at Forbes has a list of ten big improvements in Android 7.0 Nougat.

Shelby Carpenter reports for Forbes:

Android 7.0 Nougat is here for the majority of Nexus owners and will roll out throughout the next year for other Android devices. Nougat (also known as Android N) comes with a number of big changes over Marshmallow, the last Android OS. Before you download, here are some of the biggest new features to expect:

1. Better battery life

2. Revamped notifications

3. Split-screen use

4. New use for the overview button

5. Better toggles

6. Revamped Settings Menu

7. File-based encryption

8. Quicker system updates

9. Direct Boot

10. Data Saver

More at Forbes

Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform