I think what is important to remember is that most recently discovered exploits were in fact known at one point or another, at least to the original authors of the code, if not necessarily documented and shared. How much information is shared between allies and foes is usually a matter of operational security.

I believe that Debian has moved towards implement Dependency Based Booting with an eye to, at sometime in the future, compiling the OS each time at runtime. 

In this case brevity would be a factor in the time it takes to initialize key security layers and foiling "injected" exploits as opposed to "discovered" ones. However, too much simplicity can lead to security holes and other hidden features.

I tend to disagree that reliability and security are distinctly separate and measurable. Each may be quantified as a measure of trust in relationship to the other and acted upon accordingly in relation to any OPSEC priorities.


On Tue, Mar 17, 2015 at 11:05 AM, Christopher Browne <cbbrowne@gmail.com> wrote:
On 17 March 2015 at 10:16, Russell Reiter <rreiter91@gmail.com> wrote:
> I'm not sure that performance and security aren't interchangable concepts.
> While the implimentation of dash did improve performance it did also
> mitigate the effects of the Shellshock vulnaribiliy discovered last year.

Well, if you examine the package information about Dash, the description
is reasonably specific...
https://packages.debian.org/sid/shells/dash

"The Debian Almquist Shell (dash) is a POSIX-compliant shell derived from ash.

Since it executes scripts faster than bash, and has fewer library
dependencies (making it more robust against software or hardware
failures), it is used as the default system shell on Debian systems."

I agree that performance is somewhat related to security; a denial of
service can result from poor performance.  But the above seems to be
descriptive of why Dash was chosen as the default shell in Debian
post-Squeeze.

Fewer library dependencies is an interesting additional property.
That is presumably "more secure" as well, but I think they were after
"more reliable" which, while not unrelated, is a distinctly separate
measure.
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
---
Talk Mailing List
talk@gtalug.org
http://gtalug.org/mailman/listinfo/talk