Date: Fri, 10 Sep 2021 04:18:05 -0500 (CDT) From: Ariadne Conill To: Michael Hiltz Cc: "ariadne@dereferenced.org" Subject: Re: Security in Alpine - fake? Hi, On Fri, 10 Sep 2021, Michael Hiltz wrote: > Hello Mr. Ariadne, To be clear -- I'm not a mister. > since 16 years no one knows what Alpine Security means. Other distros explain all very well.: > https://fedoraproject.org/wiki/Security_Features_Matrix > > https://wiki.ubuntu.com/Security/Features > > https://isopenbsdsecu.re/mitigations/ I agree that we need to produce documentation materials as part of the work in progress Alpine manual (https://docs.alpinelinux.org) that explain the security properties of the distribution. Indeed, it is good to know what is available. It is on the list of things to do. > Afaik there are only 2 ridiculous exploit mitigations active in Alpine. Many ppl have the idea Alpine Security is bla bla bla aka zero security. I do not know what "ridiculous exploit mitigations" you refer to, but I will attempt to respond none-the-less. Alpine has the same mitigations that Fedora, Ubuntu, etc have. In the past, we had more, such as PaX and grsecurity patches, but those have been taken private, so we cannot distribute them anymore. In many cases, we were, and remain ahead of other distributions in taking proactive measures to lock down attack surface. For example, lets talk about eBPF: when eBPF came to Alpine, it was locked down from day 1. Only now are other distributions following in our footsteps, and restricting the use of eBPF to root, after they realized that eBPF is not as foolproof as they initially thought. > ppl believe Alpine is safe because it has less code but that is wrong. Exploit mitigations dont care about how big code is, you are always protected no matter if we have 10 lines of code or 100 > million lines. Would you tell the world a smaller encrypted tar archive is more secure than a big encrypted one? Exploit mitigations only mitigate against specific classes of vulnerability. Minimizing attack surface in the general sense is also helpful for improved security. You mention OpenBSD, for example, which applies the same practices as we do, and maintain a small base system. > I saw some of your blog posts about „security“ and couldnt find security. Replacing software isnt security. Security is a holistic approach, see above. > Did you ever heard in your life the words „exploit mitigation“? Yes, I have. Would you like to talk about Control Flow Integrity, which is the current hotness on that topic? We are considering switching from gcc to clang, to allow for building *all* Alpine packages with Control Flow Integrity. Today, we are already building some packages, such as Chromium, with clang and CFI. > Do you know what a concept is like „whitelist“ or „never root“ or > „everything needs a firewall“. In the Alpine world a firewall is just an > option called awall. Alpine world has all of the firewall options available, not just awall. Use what you want. If you think awall sucks, then use nftables directly. > In my world a firewall is the ultimate protection. There are many different threat models to consider. A firewall is not going to protect against an APT targeting Alpine-using dissidents from exploitation against their browser, for example. Again, security is a holistic approach. > Over 85 % of all problems could be solved with pure nftables. Firewall is real security. In combination with Suricata, kernel parameters, kernel > options etc. you get 98 % security. Many readymade solutions exist: https://opnsense.org/ > https://www.pfsense.org/ These are competing distributions that are not even based on Linux. > https://shorewall.org/ > ufw / Gufw These are available in Alpine today. You may use them if you wish. > https://firewalld.org/ This one is not, but that's because nobody has volunteered to package it, likely because it sounds related to systemd. You can request the package on the alpine aports tracker if you require it. > https://usbguard.github.io/ This is also available in Alpine. You may use it if you wish. > 99,999999 % of all malicious code try to find a way to GET IN or GET OUT and at THAT point we catch them all. > > And 99,99999 % of all malicious code traffic is encrypted, so you dont have to monitor  non-encrypted traffic. > > ppl are to lazy to install firewalls - thats the problem not sudo versus doas. Thank you for your opinion. I do agree that installing a firewall is good security practice, but again, security is a holistic approach, and making sure that we can support a branch of sudo for an Alpine lifecycle is a security-impacting concern. And as previously stated, we are planning to coordinate with the docs team to write a security guide which covers these topics, and more. Ariadne