Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 7AD3D225C68
	for <~alpine/users@lists.alpinelinux.org>; Thu, 19 Sep 2024 15:42:33 +0000 (UTC)
Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-e1a90780f6dso961524276.0
        for <~alpine/users@lists.alpinelinux.org>; Thu, 19 Sep 2024 08:42:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1726760551; x=1727365351; darn=lists.alpinelinux.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :reply-to:in-reply-to:references:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Dbhn4VzPtOxXszYmNXbdibqw5B1Ic8RsFwCHM7P0avU=;
        b=LJpI9l+U2I4Ep+M18QyMDfL7ogxxTLTZQDWyPRyys+u+vIB4WCUuM7XmoO20eP7HFz
         QvkO7CLTzplPJg64/eGqJZPJNQtUXQg8jVuy4Y+pzF5ZXHZujv4gjkqE36nTieZiDN7z
         rNToHOJ5irnK8p74DbOKka+JQZRWeO+4zmBD+JOlDDMxRNXqtC03suaELBSl6HFFZIf4
         pS0PxvssSL8Mi+oidwgSruHoZKvXadl+oFVkpIloaEj6Fx0/YaSAgTpYsOqsR8Jvu184
         YWPRzBYs43GAOaEjtjzyDtf+GVJZo62QnBdx8nptmz1ZcVNvIri4yqAWjBY0qgTx22zV
         Yl+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1726760551; x=1727365351;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :reply-to:in-reply-to:references:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Dbhn4VzPtOxXszYmNXbdibqw5B1Ic8RsFwCHM7P0avU=;
        b=vPGMBMJvOrQ1LfOTYvUIcbiCeWpqv1wfMuG+4kYxdYfIQ9Oe/lXveqlCeYN5O1qRNw
         9zBkGg0XbQgB1idqfgCznwwUox+Qy3a+D3/5jETcqm0xHXdqbeOppIfqKFyKGcojYHP8
         ywlbNy7RF6zwz6QG19VlzxR9mWBSXuiZkRSGHJRz8bO6XSLnEUAJGdXDeP3UecKLj8ec
         QXMARoWDoi4LQYw9lw3yquePVyPQwTUGwMpZOP3zW30yO6+qkGz0lkntRDmh6zMoEOnD
         avj1wWVDJgJLn+SHxgoQcmg0ZUpteUfJKOfqRyqNj4ZXG9LhTvLKWLafEwLuxjltAAIk
         62ng==
X-Forwarded-Encrypted: i=1; AJvYcCVjP1yotKl7d+phN7/Uk0bKA0FihnHR+Wv+64ZHlzwAiTOeFTtRB0gpo21yJaNXwDiPM1z88fkQQJ+txy5C@lists.alpinelinux.org
X-Gm-Message-State: AOJu0YyL4o70xsZTa17daA5sz1ZoCp1jx5FcAM0EcrVYpcvHXJiaHgGN
	43xHF3qSxPz/K1m8X7qDSbXU5osFEKW0o4GdFYelma+7k1Gv8/4/vA86EZbt8CBID7be7zGhwn9
	lRRmdD94zMJYg49VLPwEJXSBHE6A=
X-Google-Smtp-Source: AGHT+IGCKNRGeN4112gzUyPZ0B1Vnp3zDsPjX2eN0EWbDD2f+SRDC0+ob8O8Km67ikMZfvc97AlDtcOlpLI1+GEB3K4=
X-Received: by 2002:a05:6902:188a:b0:e0e:499f:3d88 with SMTP id
 3f1490d57ef6-e1d9dbd89a1mr25366874276.26.1726760551571; Thu, 19 Sep 2024
 08:42:31 -0700 (PDT)
MIME-Version: 1.0
References: <O74GIpz--B-9@tuta.io> <D4ACWC7305LF.2DM29SENIP4GF@riseup.net>
In-Reply-To: <D4ACWC7305LF.2DM29SENIP4GF@riseup.net>
Reply-To: noloader@gmail.com
From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 19 Sep 2024 11:41:55 -0400
Message-ID: <CAH8yC8nshCNg5S0PqbndjDvLjow5wSi3BmTwDnv0yrg8bZGJ1w@mail.gmail.com>
Subject: Re: Discussion - Is Alpine Linux still a more secure Linux
 Distribution compared to its compatriots
To: REDACTED <palisade@riseup.net>
Cc: kdmw.629@tuta.io, "~alpine/users" <~alpine/users@lists.alpinelinux.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 19, 2024 at 11:13=E2=80=AFAM REDACTED <palisade@riseup.net> wro=
te:
>
> On Wed Sep 18, 2024 at 6:38 AM PDT,  wrote:
> > So the point of discussion is, does Alpine still offer in terms of
> > security that the other distros dont? Or have the other distros caught
> > up with Alpine Linux? Should Alpine be considered as more secure or
> > equal secure compared to its peers like Debian, Ubuntu, Fedora, etc?
>
> [...]
> Whether Alpine is doing, or will do something comes down to some basics:
> does it make sense for Alpine (ie, fit for small systems), can it be
> merged in a way that doesn't disrupt what people have running, who's
> going to do the work, and can it be sustained.
>
> Alpine has its opinions in how it's composed. For instance, busybox and
> musl and openrc. Tradeoffs!  Smaller surface and less complex, but fewer
> eyeballs. On the one hand, we're probably not going to be affected by
> vulns in glibc, systemd, and so forth. A smaller codebase with a much
> lower rate of upstream change than other distros *should* yield a less
> vulnerable base. But this is hypothetical: all software has bugs one way
> or another, that is the real world.

One datapoint from my $dayjob... Alpine is used for container
instances because it has a small footprint, and it is best-in-class
with respect to vulnerability scanner results. I.e., it has the fewest
findings from known exploits. This is compared with other popular
distros like Debian and Ubuntu.

However, I have not seen a comparison of Alpine and Fedora. I've asked
SecDevOps to perform the Fedora scan for comparison, but it has not
happened. And I have also not seen a comparison with a distro running
gresecurity patches, like Gentoo.

The dev teams don't always like Alpine because it is often missing
Python packages they need. The devs complain they have to
build/install/package what they need.

Jeff