I have a comment/appeal which might not fit in very well with the general tenor of this blog, but which is related to the question of where linux in general and Debian derivatives like Mepis in particular should be heading.

I am a linux home user (for just under a year), not a developer– in fact, I’m still a more or less clueless newbie. As a would-be security-minded home user of linux, I want to try to express my (paranoid?) needs to developers, especially anyone thinking about devising a new live CD distro similar to Mepis.

Here in the US, during the past few years I have seen considerable coverage in the mass media (newspapers, local and national TV) of stories involving computer security, spyware, ID theft rings, nation-wide private sector “intelligence dossiers” [compiled by companies like ChoicePoint for marketing and credit-checking purposes] on individual citizens, and various other privacy concerns. I tend to see these as related by a common theme of corporate/government indifference to the individual rights of the hapless consumer/citizen, and I tend to see Open Source as one of the few developments opposing technopolitical trends favoring Big Whatever over the individual. Does this media frenzy reflect a genuine and growing public concern? Or only mass media outlets trying to increase their own profits by frightening the public and thereby increasing readership/viewership? I don’t know, but assuming the former, it seems to me that there is a niche which I fervently wish some fine person would rush to fill with an Open Source solution.

Namely: providing an easy to install but moderately (highly?) secure system for the home user, particularly someone like myself who is quite willing to trade off inessential luxuries for better security. The distros I’ve investigated (including Mandrake and Mepis) have been disappointing in that regard.

Gripe number one: I haven’t yet found a distro which goes out of its way to help the user to install some kind of integrity checker like Tripwire immediately after installation. Yes, I do not doubt that any moderately knowledgeable user can do this in minutes, but -I- wasn’t able to do it! Maybe I could do it now that I know more, but what would be the point? From everything I’ve been reading, this is an extremely basic and essential step, but it needs to be performed immediately after installation. But none of the distros I’ve examined seems to facillitate this step for an utterly clueless newbie, despite advances (e.g by Knoppix) in hardware detection and other essential aspects of autoinstallation.

Gripe number two: via Distrowatch, I’ve been scanning the basic installation instructions for various distros for some time, but have yet to find any which I as a cautious newbie consider to be sufficiently helpful regarding the proper order of operations. For example, I have gradually become aware that as a basic part of good security practice, some kind of physical firewall is needed for rudimentary protection during the download and patching of a new install. (Certainly true for Windows, or so I am told, but I anticipate this will increasingly be true for linux as well.) Routers need not be expensive, so why not advise the new user to obtain one along with his/her box?

Nor have I found a set of instructions which clearly explains for the newbie exactly how to use tools like apt-get! (E.g. briefly explaining the role and possible flaws in signatures whether the user needs to make any special effort to obtain a various desirable feature such as signature checking, etc.) This baffles me, since I am vaguely aware that apt-get is one of the most powerful features of Debian derivative distros. My own (munged?) Mepis installation can only rarely use apt-get successfully to install new packages, either from the command line or under kpackage, and I still don’t know enough to intall packages I want “by hand”. (I know this isn’t the place to ask for help on this, I am just trying to explain my so far unmet needs.) Even worse, it is still not clear to me that I am even successfully updating or patching the packages I -was- able to install. (E.g, I tried to tighten permissions, and this might have broken the functionality of apt-get.) Has anyone considered creating a package whose sole purpose is to help the newbie to more or less directly check that apt-get really is updating or applying patches correctly, in the context of something like a Mepis installation?

(I could make similarly complaints regarding rpm and Mandrake type distros, BTW.)

Gripe number three: the Mepis basic install seems to break all the rules of good security practice, as expressed in the books I’ve been reading. E.g. starting with minimal permissions/packages/services and adding more as you decide you really need them. The distros I’ve tried seem to assume the home user either doesn’t care at all about security, or else will proceed in the opposite direction, by progressively -removing- permissions/packages. But I found the latter is a -terrible- strategy for a newbie, because a newbie can’t be expected to have any idea what “perl” is or why removing it might break other stuff he/she knows that he/she does want to use.

(Again, similar remarks hold for Mandrake.)

Gripe number four: prices for hardware continue to decrease, and here in the US (and I believe also in the UK and many other places around the world) you can obtain a “bare bones” box with 128 MB memory for US $150. Has anyone else thought about setting up a two box system, with a downstream box having more RAM and production tools like compilers installed, with more permissive permissions in the interests of usability, and the upstream box having much less RAM and the bare minimumof packages installed to run an IDS and/or perhaps a suitable logical firewall in lieu of the router (which might be used only during the initial installation and patching), in the interests of security? Or even having the upstream box run off a live CD to prevent easy tampering with system utilities?

What I am trying to say is that from what I’ve been reading, I have the sense that even two boxes should enable the home user to divide up functions between the box on which one does most “work”, where security is compromised in favor of features, and the box reponsible for IDS and system logging, where features are decreased in favor of security.

The idea I am struggling to express here is that perhaps a modest alteration of the “default concept” of what the average user’s home system might look like could -greatly- increase the security of the “average home system”, -without- greatly increasing cost or decreasing speed and convenience. At the very least, a two box configuration might make it easier for newbies to use security tools originally developed for sysadmins of large systems.

My hope would be that a sensible security philosophy like this could be incorporated into the next generation of live CD distros, and would be no more difficult for a clueless newbie to set up than say a basic Mepis installation.

I anticipate that many readers will feel I am excessively paranoid. Maybe so, but even lunatics have needs, yes? And what is paranoid today might not seem excessive tomorrow.
I fear that developers of contemporary distros may be failing to look a few years into the future and see that at some point, enough people will have personally experienced ID theft, estalking, or something horrible like that, to appreciate that the consequences of losing control of sensitive information can be so dire that taking considerable pains to prevent this is well worth anyone’s time. If so, in a few years, the general public may be much more willing to accept minor inconveniences in the interest of better security than is presently the case. If so, it seems to me that it is not too soon to start developing much more secure basic home installs for linux.

Any comments? (Use small words, please! I don’t really understand the jargon very well at all, as you might have noticed.)

If preferred the order of the words could be reversed.
Proven Debian, Working Debian, and Workshop Debian. Yes that’s better. And the unstable Sid might be “The Debain Forge”.

An example would be better:

XYZ releases a new feature in its hardware for which it has the patch readily available. Given the time the patch requires to be accepted upstream to the kernel, Debian needs to have an accountable team which could work closely with corporate entities to “verify” and include those patches in the release.

I know it is something difficult because there isn’t any “single point of accountable contact” as such, but if this can be sorted out I guess Debian would rock.

Based on ensuing comments, I agree that it might not be such a wise thing now.
– The Debian community would likely want to move the platform forward with new and interesting things, not concentrate on bug fixing. That would keep it interesting on a volunteer level.

– Providing a longer release schedule is too limiting. Towards EOL of the “stable” version it gets much less attractive to users because of hardware and package limitations.

– A longer security support phase is not so exciting for the volunteers. They want to work on new stuff too.

My question:
Let’s say the community goes to 12-month releases, would a sysadmin pay (red hat prices) to keep a Sarge server patched and perhaps include a few newer packages after 2006? Or, does free-as-in-beer make it a null point?

Mandrake (or as it is called now: Mandriva) has a rather large share of the market. Enough market share to be profitable, and the ONLY for profit Linux company to actually be making money. Red Hat has not “made” money at any time in its’ history save many years ago on its’ IPO (sotck offering).

SuSE also bleeds considerable amounts of money.

Mandrake/Mandriva was poorly managed too, for a short while several years ago. It ended up in French bankruptcy court, but has for the last year or silightly longer turned a true profit, based on their sales and support services. Again, none of the other Linux distributions mentioned has done that. The two Ian picked are essentially dot.com babies that are living off their influx of “unearned” income (so to speak).

I think Ian’s article would be more accurate and infomative had he also included Mandrake not just because it is the ONLY large Linux distribution that “makes a profit”, but because it IS a large distribution in numbers of users as well.

Personally I use and.or maintain about 10 distributions on a regular basis. None of them is a Debian or Debian derived distribution. One of them is a Red Hat/Fedora derivative. And one of them is Mandrake/Mandriva. Which is to show that while Debian *IS* a major distribution, there is room to talk about more than just Debian and its’ derivitives, Red Hat and its’ derivatives, ESPECIALLY if one is trying to make the point Ian is trying to above.

Finally some markets rate Mandrake/Mandriva no. 2 behind Ubuntu. It may not be the market analysis Ian used, but often it is hard to gauge these things accurately, especially when it comes to business markets using Linux when commerical and non-commerically oriented distributions are being compared.

Anyways, as always, very best regards;

Bob Finch

A seperate Debian desktop/server is a bad idea, there is a lot of other distributions that fill the role. Progeny CL, ubuntu, linspire etc to mention a few. Debain already has package maintainers working towards optimising specific packages for desktop or server use. Colin Walters desktop work comes to mind. (http://web.verbum.org)

Splitting the distro is a bad idea because it’d only increase the complexity and maintenance aspect of the current release cycle. Moderately frequent release cycles working towards LSB complaince may be beneficial for debian as it may reduce the need for backports.