On Sat, Sep 22, 2007 at 12:20:34PM -0400, Jason Dixon wrote:

quoted text
> On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:

>

> >On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:

> >>Linux has SELinux in its 2.6 kernel and debian has gone ahead and

> >>compiled SELinux into the libraries, although the SELinux policies

> >>aren't ready on debian yet.  The whole focus seems to be to make

> >>Linux "more secure".  I'm not sure what to make of it.  I figure

> >>that if  you want secure, you switch to OBSD.

> >>

> >>Could someone who knows both the details of OBSDs security

> >>enhancements and the details of SELinux comment?

> >

> >I don't know all the details, and especially not the SELinux details,

> >but that won't stop me from commenting.

> >

> >Not long ago I was talking with a Linux person about security, and

> >they pointed me to a set of patches that did a lot of nifty stuff.

> >Good stuff, like the things you find OpenBSD doing. But it's not in

> >the mainline kernel, it's a set of patches.

> >

> >Security should not be grafted on, it should be integrated into the

> >main development process. I'm sure the patch maintainers are doing

> >their best, but this doesn't change the fundamental flaw in the

> >process.  It's not a flaw of their making, it's inherent in the

> >situation. But it's still a flaw.

> >

> >Compare that to a complete operating system (OpenBSD) where  security

> >is part of code quality, and part of the normal mainline development.

>

> If I could add one thing to Darrin's comment (of which I agree

> completely), it would be this:

>

> SELinux is a button.  Buttons are easy to turn off.

As I understand it, the patches (the button) are maintained by the US

NSA; I suppose as a service to their fellow Americans.  That likely

brings out the conspiracy theorists who say that there's probably a

back-door to allow NSA to read your ssh keys, GPG/PGP keys, whatever.  
My _personal_ perspective is that OBSD is smaller.  You don't have 5,000

or whatever people changing the kernel, plus NSA putting their thumb in

it.  You have my Fellow Canadian Theo and people he trusts.
Thanks for your comments.
Doug.