[tahoe-dev] Secure OS for running Tahoe?

Greg Troxel gdt at ir.bbn.com
Mon Mar 4 12:28:40 UTC 2013


Randall Mason <clashthebunny at gmail.com> writes:

[I know this is not really on-topic so I've tried to really trim.]


> of.  Given the other things that have come from OpenBSD like OpenSSL
> and OpenSSH, we are forever grateful for this initial push into

OpenSSL did not come from OpenBSD.  OpenSSH was Tatu's SSH from the last
Free version, and maintained/developed since then by OpenBSD, so that
one's fair - the OpenBSD folks have certainly made a big contribution
(also including pf).

> vulnerability, but I also have no idea if anybody would try to fix a
> plan9 security vulnerability that was being exploited.  ARM is nice
> and obscure and updated, but PowerPC is no longer updated enough.
> There is a sweet spot.

I would tend to NetBSD on a somewhat odd CPU.  Most of the code is MI
and used/looked at by others, but the standaard exploits don't work.  I
don't know what you mean by "powerpc is no longer updated enough"; that
seems to refer to perhaps a particular Linux distribution's practices.

> This was always why I fell off the BSD train.  I don't know NetBSD,
> but OpenBSD was too painful for me to get updating.  I would spend
> hours trying to get anoncvs working, compiling my new kernel,
> rebooting, compiling my new userspace, rebooting and would rarely

This is a fair complaint (although the other side of the coin is that
I've seen people reinstall linux because they were scared of breaking
their system (or did)).

For NetBSD, there is code in pkgsrc/sysutil/etcmanage.  With it, you can
basically check out the sources, run a build command (full build
including cross tools, can be done on amd64 for arm/ppc/etc.), and then
run an install command (that also updates files in /etc) and then
reboot.  I do this all the time on many systems.  This code should be
adaptable to OpenBSD/FreeBSD as well.

> Ubuntu and Fedora Desktop on the other hand supports KSplice,
> rebootles updates for most kernel vulnerabilities.
> [KSplice](http://www.ksplice.com/pricing).

That's interesting that ksplice is repackaging Free updates and
charging; presumably one can redistribute the updates but the program to
apply them is non-Free.  Still, that's going off the Free Software plan., 

When I look at all the problems I have, rebooting a machine every few
months is not a big deal.

> I use MacPorts on the Apple computers in my fold.  I hate it.  Before
> every update I have to backup etc and diff-restore it manually when

I run tahoe-lafs from pkgsrc on a mac (including python, twisted, and
everything else needed).  I don't worry about /usr/pkg/etc much; the
behavior on update is sane.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20130304/4569f004/attachment.asc>


More information about the tahoe-dev mailing list