User: Password:
|
|
Subscribe / Log in / New account

Ubuntu - poorer security than Fedora

Ubuntu - poorer security than Fedora

Posted Jul 17, 2008 13:58 UTC (Thu) by dwheeler (guest, #1216)
Parent article: Ubuntu, security response, and community contributions

Ubuntu is a good distro, but I prefer Fedora _specifically_ for its security. Fedora is
generally much faster at repairing vulnerabilities, and Fedora is less likely to be harmed by
a newly-disclosed vulnerability in the first place.

First, for response, just look at your sample. 4/6 times Fedora was faster, often by 2-4
weeks.  1/6 they released the same day.  1/6 Ubuntu was one day faster, and only by a fluke of
email addressing.

Fedora also has lots of protective mechanisms for 0-day vulnerabilities, so it's a lot less
likely that an unknown vulnerability will be as harmful in the first place.  SELinux is the
most obvious and pervasive mechanism, but the various exec-protection mechanisms are a big
deal too.  I think this is at least as important, even though it gets less press.

There's no need for distro-bashing; they're both good, and there is no magic in what Fedora is
doing.  Fedora 9 copies in upstart from Ubuntu, simply because Ubuntu's upstart was better
than what Fedora had.  Ubuntu just needs to learn from Fedora in what THEY do right, and copy
the good stuff.



(Log in to post comments)

Ubuntu - poorer security than Fedora

Posted Jul 17, 2008 15:38 UTC (Thu) by i3839 (guest, #31386) [Link]

What exec-protection mechanisms? I thought most of those were pushed upstream? (Things like
gcc's stack protection, address space randomization, non-executable stack, data and heap, etc.
are, no idea how much they were written by Red Hat in the first place though.) Only thing left
AFAIC was non-exec protection on non x86_64 x86.

That's what I like about Red Hat, that nowadays they push stuff upstream so that everyone
benefits from it. If distros would do that more they'd make each other's lives easier and
improve the whole.

Ubuntu - poorer security than Fedora

Posted Jul 17, 2008 15:48 UTC (Thu) by nix (subscriber, #2304) [Link]

Other parts of exec-shield, like the 'ASCII armoring' (to make it 
impossible to embed the address of a function in a shared library in an 
string and then get it into an overflowed string via C string-handling 
functions) haven't gone upstream yet :( I wonder why not?

Ubuntu - poorer security than Fedora

Posted Jul 17, 2008 16:04 UTC (Thu) by riel (subscriber, #3142) [Link]

IIRC Linus made it clear that he did not want them.  I do not remember the reason, but it made
sense at the time :)

Ubuntu - poorer security than Fedora

Posted Jul 19, 2008 20:19 UTC (Sat) by ceplm (subscriber, #41334) [Link]

All this stuff is unless when not used. What are the default CFLAGS in Ubuntu? The Red Hat
distros are known to use quite paranoid ones.

Ubuntu compile-time hardening

Posted Jul 21, 2008 8:33 UTC (Mon) by mdz@debian.org (guest, #14112) [Link]

Ubuntu - poorer security than Fedora

Posted Jul 21, 2008 8:51 UTC (Mon) by i3839 (guest, #31386) [Link]

That isn't true, most is done by the kernel, only stack protection is useless when not
enabled, so buffer overflows are still a danger, but less if the kernel makes the stack
non-executable and randomizes the address space.

And as the poster below linked to, Ubuntu seems to enable those flags too.

Chance prefers the prepared mind...

Posted Jul 17, 2008 16:12 UTC (Thu) by mmcgrath (guest, #44906) [Link]

"There's no need for distro-bashing; they're both good, and there is no magic in what Fedora
is doing. "

No magic, just hard work and experience.

Shameless plug:  http://join.fedoraproject.org/


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds