Hacker News new | past | comments | ask | show | jobs | submit login

> Sidenote: I don't like the implication that community-driven projects are inherently less secure.

I don't like it either, but it may be true anyway. Although I don't think it would be resources so much as focus. The Debian community is not that small.




Yup. I love Debian and use it on all my home computers. I think the author hit it on the head when he described the security as inconsistent. Some maintainers put a great deal of thought into the security implications of the software they are packaging, including contributing to the AppArmour profile. Others ignore it, and others yet are openly opposed to it.

RedHat can declare that everything on the system is going to have SELinux policies following consistent guidelines on what to lock down, and all employees will work with the security team to make this happen. That is harder to do in a community driven project like Debian where ownership and work is widely distributed and entirely voluntary. It can really only happen when the goals are already a strong part of the culture and there is buy-in for specific rules to achieve those goals. For example, Debian's strong free-software requirements have been there from the beginning and so most Debian volunteers are self-selected to agree with or at least tolerate them, and even that has frequent arguments. Security culture is much more mixed, and there are a lot of people in the free software community who think that security starts and ends with fixing bugs when they are found, and push back hard on suggestions that anything more is needed. It is going to take a long time to change that culture.


I prefer Debian as a workstation, though I tend to use FreeBSD for storage (ZFS), and OpenBSD for network edge servers.


I don't like the implication either. And I agree with you that focus is different. It seems unfair to compare Debian and Redhat this way. One is a "bottom-up" DIY distro where you can start with almost a kernel and basic userspace and build-up. The other is a more mature product targeted at commercial, public facing infrastructure.

The former strongly implies that, if you're using it for the latter case, then you really better know what you're doing. But this capability/competence versus task-fit gets glossed over in the paragraph where the author basically says; because Redhat chose to be a bag of dicks, jumping ship to Debian is the "logical move". It isn't if you don't know what you are doing. And it's sad that RH exited this space leaving a civil cybersecurity hole. The lack of a truly Free and "OOB secure" OS seems the case in point.

There are other reasons to doubt the security of Debian, but "you're using it wrong" isn't the best one to discuss.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: