Search Members Help

» Welcome Guest
[ Log In :: Register ]

Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic
Pages: (6) </ [1] 2 3 4 5 6 ... >/

[ Track this topic :: Email this topic :: Print this topic ]

reply to topic new topic new poll
Topic: Security Updates, zlib+ssl+ssh... +?< Next Oldest | Next Newest >
lucky13 Offline





Group: Members
Posts: 1478
Joined: Feb. 2007
Posted: June 01 2008,12:37 QUOTE

Starting a new topic to keep the "compile issues" thread from being hijacked.

curaga re: my idea of packaging a zlib+ssl+ssh security update:
Quote
They are important, but what about all other stuff that has had security updates (png, jpeg, FF, glibc, etc. etc.)?

Those are also important and I also have libpng, ungif, etc., updated on my hard drive install. The differences between vulns in the image libs and the three I listed are like night and day: the vulns in the image libs are usually limited to causing crashes and DOS while the vulns in ssl/ssh present problems with MITM and other attacks that pilfer private data or make it easier to do so.

I'm not dismissing the severity of problems with other libs or apps. I'm just a lot more concerned about the integrity of the libraries and apps that protect my privacy and my data.

Quote
Just saying it might not be worth going for, as to be secure it would need a total overhaul.

"Going for" is already done on the three I listed; they just need to be stripped and packaged. And, as I noted, I could also submit the image libs as well if there's interest. Beyond that, you're right because it would take a lot of effort to patch it all and tiny core will be out soon with a fresher base and fewer things to keep an eye on. That's another reason I favored making DSL a lot more modular when Robert polled about it last year -- it'll make this issue a lot easier to manage going forward.


--------------
"It felt kind of like having a pitbull terrier on my rear end."
-- meo (copyright(c)2008, all rights reserved)
Back to top
Profile PM WEB 
curaga Offline





Group: Members
Posts: 2163
Joined: Feb. 2007
Posted: June 01 2008,12:57 QUOTE

I guessed you'd say that, and I agree. It's not worth it trying to update the current DSL, but the tiny core will be different.

--------------
There's no such thing as life. Those mean little jocks invented it ;)
-
Windows is not a virus. A virus does something!
Back to top
Profile PM 
Jason W Offline





Group: Members
Posts: 260
Joined: Nov. 2006
Posted: June 03 2008,13:49 QUOTE

I personally would be interested in a .dsl that has an updated libpng, libjpeg, openssh, openssl and so forth.  The gtk2 extensions have many updated libraries like that and it is pretty well proven they cause no problems with existing base apps or other extensions.  If someone was building a non-gtk2 app that requires updated image libs it would be nice to have an extension containing such as to not have to include the updated libs in each extension.  That as well as the security concerns with things such as ssl and ssh.  Maybe an .dsl for image libs and a seperate one for ssl/ssh.
Back to top
Profile PM 
lucky13 Offline





Group: Members
Posts: 1478
Joined: Feb. 2007
Posted: June 03 2008,15:06 QUOTE

Quote
Maybe an .dsl for image libs and a seperate one for ssl/ssh.

That's kind of where I'm leaning but it may easier and simpler to manage if I put them all in one. I should have time to work on it this weekend, maybe sooner if I don't have to travel this week.


--------------
"It felt kind of like having a pitbull terrier on my rear end."
-- meo (copyright(c)2008, all rights reserved)
Back to top
Profile PM WEB 
lucky13 Offline





Group: Members
Posts: 1478
Joined: Feb. 2007
Posted: June 10 2008,19:26 QUOTE

Update...

I was going to submit this all-in-one with SSL headers so other apps could be compiled against it. That would make it pretty big and unsuitable for users who just want the SSL/SSH/zlib updates. I'm holding back on these until I see what Robert is doing with tiny core. I only know he said he's using dropbear instead of SSH which means we'll need an OpenSSH and sshfs extension(s) for tiny core. Maybe the fuse module, too, if that's out of the base.

I don't know what version of SSL is in tiny core and if all of this will turn into many little pieces or one big package or if I need to separate the SSL headers from the rest so there's an update package and a dev package.


--------------
"It felt kind of like having a pitbull terrier on my rear end."
-- meo (copyright(c)2008, all rights reserved)
Back to top
Profile PM WEB 
26 replies since June 01 2008,12:37 < Next Oldest | Next Newest >

[ Track this topic :: Email this topic :: Print this topic ]

Pages: (6) </ [1] 2 3 4 5 6 ... >/
reply to topic new topic new poll
Quick Reply: Security Updates

Do you wish to enable your signature for this post?
Do you wish to enable emoticons for this post?
Track this topic
View All Emoticons
View iB Code