On Mon, Aug 26, 2013 at 10:21:58AM -0500, Kyle Maxwell wrote:

This is pretty much OpenBSD's bread and butter.

That's certainly what Theo likes to think. But is this actually true? And of course the question is whether a modern hardened Linux isn't meanwhile doing as good or arguably slightly better as an OpenBSD, on a ~2007 era notebook.

On Mon, 26 Aug 2013, Dan White wrote:

On 08/26/13 17:09 +0200, Eugen Leitl wrote:

...

I've managed to lay my hands onb a couple of Lenovo X60's that are in pretty good shape and would like to use them as a moderately secure communication/development system. (I'm not trusting my desktops, servers or mobile devices for obvious reasons). I'm loath to modify the hardware at this point, so I expect to only flash coreboot upon it.

I think "moderate" is the right choice of a word. Not sure how moderate you want to go in your moderating, how about removing wifi (it's on PCIe card, AFAIK), or, say, crushing BT with heavy pincers? No, I cannot recomend anything like this, I didn't allow pincers into my laptop...

...

What kind of security-minded Linux or *BSD would you guys recommend? Liberte looks a bit too stable (cough, sorry ??????)), Kali is more for security h4x0rs. Anything else what is well-maintained yet borderline secure from *untargeted* TLA-level scrutiny?

I have recently tried a few Debian-related distros on my X61 (which seems to be smaller brother of X60, i.e. lots of shared hw AFAIK). Ubuntu and Mint boot and work o-o-t-box. Those were just for testing :-/, Debian works too, with X and sound (not sure if I used sound under Debian). FreeBSD - for some reason I am always between after-install and comfortable-using it, at least on laptops and desktops, which is where I tried it so far. Booted it few times into console, X doesn't work on X61, for me.

...

I'm okay with text-mostly distros, or minimalistic window managers. It shouldn't be a kitchensink of stuff I don't need, but on the other hand it's shouldn't be so secure it's unusable, either.

Pointers to any HOWTOs or SOPs highly welcome. Tanks & machine guns.

The boring recommendation: Debian

Seconded, for the pros you gave. I'd consider recompiling kernel. Debian does not have the most recently updated hot-fancy-pansy software, other than security updates - but even in this case, I'd say priority is to backport patch into version included in one's current Debian distribution. So soft is acceptably new when I dist-upgrade but as months go by, it gets a bit old. OTOH, during my circa 15 years of using it, I rarely felt bad about not having the latest version of something installed. With some exceptions, like browsers, java and mplayer, but see below. Most of the other soft I use is stable enough to not undergo revolutionary changes. And besides, I don't really want to be surprised by a bug which took a free ride on top of some revolutionary change. One huge pro, so far, is that Debian does not push its choice of window manager down my throat. I use fvwm and I want it to stay so (after extensive periods of gnome and kde, so I guess they lack something). For a laptop, I would either use a console with screen or maybe some mouseless WM - there is plenty to choose from (try to befriend aptitude and apt-* tools). The default in newer distro is some lightweight decently looking kde-replacement, forgot its name, should be good for noncomputing parents/spouses/siblings (children would use Android/iOS anyway). Another good pro is ability to download full source code (about 7-8 dvds, security updates put onto separate disc) and compile it while in places without easy net access. At least I assume it would work. This pro is of course shared by some other OSes, too. In case of Debian, however, I guess it's safe to assume that all sources fit nicely with each other, compile without complaining, so once you got full copy it is all that you will need. This theory I am yet to test - I know this all compiles on devel's cluster but I think I should test before I claim anything more. [...]

Cons: * Patching your locally installed (packaged) software must be done with Debian build scripts, or you quickly lose the benefits of the apt system * Stupid patches have made it past the package maintainer (the OpenSSL 2008 patch being the one that comes immediately to mind)

As of patching packages, I don't do it because I never had such need. Albeit I tinkered a bit with them when I decided to backport some new packages into my oldie distro. Tools for this are rather easy to use, but from time to time one has to modify some file so the new stuff compiles with older lib etc. Sometimes, such backporting turns into recursive backporting which is why emacs is one of the compiler's helper tools :-). When I want newer version of something, I use stow for stuff going into /usr/local and for some other stuff (browsers, compilers etc) I tell them to install into /opt/{specific_dir}. Thus the core of my sys remains stable and pure, like the devs meant it to be. Stuff from /usr/local is on standard PATH and LD_LIBRARY_PATH, so it is more integrated into usual sys works. Stuff from /opt I use by adding apropriate dirs into ENV variables. Thus I can easily switch between various versions - or revert to stable defaults when I have to. And last but not least, there are third party repositories (chrome, opera, backports, marillat and some more) which offer latest versions and work with one's current distro. Those are easy to add - just a line or two in /etc/apt/sources.list, aptitude update and you rulez ;-) . A some kind of cons is this: after many many many years and many dist-upgrades, so much cruft is collected in /etc (mostly, my mods to config files, backups of mods and origs, some custom scripts residing in /etc for no better place and the like) that one seriously considers installing from a scratch. Other than this, I consider my current os to be twelve years old and counting :-). Perhaps it's time to put /etc into some kind of version control regime. Longevity has its own share of strange problems and strange solutions - not that I am against longevity.

If you're willing to compile your own software or security updates, then I think your choice of OS/distro may be mostly moot.

Sooner or later you will want to compile, so don't worry. I'd have still used Debian, with Slackware or Gentoo being strong secondary choices. But I don't have significant experience with those, so I can't recommend.

I'd recommend against a specialized security (linux) distro, unless you know what you're doing. Support for many of them seems to be pretty spotty, according to my unscientific observation from ##linux.

Yep. Debian, at least, is quite well documented. dwww is my tried old friend. It's possible to install books and manuals from additional packages, those integrate nicely into dwww and can later be accessed with a browser. dwww includes manpages and infopages into this common browsable interface, too, very very cute. But if you desire a lot to go exotic way, you may have a look at this: http://wiki.qubes-os.org/trac/wiki http://theinvisiblethings.blogspot.com/ I didn't try it. But it looks interesting. Maybe it's worth a try. Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home ** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_rola@bigfoot.com **