From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: server and client in one package -> security issue Date: Mon, 13 Feb 2017 15:13:08 +0100 Message-ID: <87o9y6dvrf.fsf@gnu.org> References: <20170201204312.3005-1-contact.ng0@cryptolab.net> <87mvdvxq9v.fsf@gnu.org> <20170209182030.ngn2dsdfbzsmymdj@wasp> <87efz7asit.fsf@gnu.org> <96fa2c02-f5da-d4f5-6074-04b29f5376fb@crazy-compilers.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54642) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdHNS-00037u-5d for guix-devel@gnu.org; Mon, 13 Feb 2017 09:13:15 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdHNO-0000YN-Si for guix-devel@gnu.org; Mon, 13 Feb 2017 09:13:14 -0500 In-Reply-To: <96fa2c02-f5da-d4f5-6074-04b29f5376fb@crazy-compilers.com> (Hartmut Goebel's message of "Sun, 12 Feb 2017 13:23:09 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Hartmut Goebel Cc: guix-devel@gnu.org Hello, Hartmut Goebel skribis: > Am 09.02.2017 um 23:50 schrieb Ludovic Court=C3=A8s: >> I think the only reason to separate things usually is size, not >> =E2=80=9Caesthetics.=E2=80=9D So I=E2=80=99d be in favor of keeping bot= h in the same output if >> there=E2=80=99s no size problem. > > Separating clients and servers is not an "aesthetic" thing. It's a > matter of security. > > One basic rule for hardening systems is: "only install the required > software". If we munge server and clients packages, this obeys this rule. > > In my day-business I'm a security consultant (CISSP, CSSLP and ISO > 27001 Lead Implementer). And from my point of view Guix already has a > medium problem of acceptance since it munges development-files and > run-time files into one package - as we do for all libraries. This > already contradicts the above mentioned basic rule. > > Now if Guix starts munging server and client components into one > package, this plain disqualifies GuixSD from any security sensitive > system. [*] > > [*] OTOH it opens up chances for big business: selling "Secure GuixSD" > to customers. Heheh, good for you! ;-) Seriously though, all I=E2=80=99m saying is that, until now, the main (only= ?) criterion that we had for multiple outputs was size: https://www.gnu.org/software/guix/manual/html_node/Packages-with-Multiple= -Outputs.html https://www.gnu.org/software/guix/manual/html_node/Submitting-Patches.htm= l (#5) This patch was using a different criterion. Now, back to the =E2=80=9Conly install the required software=E2=80=9D, I wo= uldn=E2=80=99t go as far as you do. I generally agree with the rule, but I=E2=80=99m skeptical = as to what this buys you from a security perspective: users can always install whatever they want by hand anyway, and do you have an idea as to how much code they install via their browser? murmurd becomes a problem security-wise when you actually run it and expose it to the network. But that=E2=80=99s true of any piece of software= that talks to the network, especially if it=E2=80=99s written in C/C++. The real solution to that is not to make it harder to install this or that piece of software IMO. Rather it=E2=80=99s to make sure they only run= when really needed, and in isolated environments as much as possible, as per the =E2=80=9Cprinciple of least authority=E2=80=9D (POLA). WDYT? Ludo=E2=80=99.