Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 102CD2258E8 for <~alpine/users@lists.alpinelinux.org>; Thu, 19 Sep 2024 15:12:53 +0000 (UTC) Received: from fews02-sea.riseup.net (fews02-sea-pn.riseup.net [10.0.1.112]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx1.riseup.net (Postfix) with ESMTPS id 4X8fCR6hglzDqrk; Thu, 19 Sep 2024 15:12:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1726758772; bh=ypueA1aZCdLC4P/i9WZILVq5tbcW6AT5FwNtQZWHKow=; h=Date:Subject:From:To:References:In-Reply-To:From; b=hZYOvKun+8S7SyxdoA5QHxPRje1Q5w53WzLn6Kr6IaMDK0vSAtlomgPpqqQfLrD6G z+ZYfv6Ta861rVvhKAldxdKrB9M1R1FBrA03HZmV02HeNnHvCwfNovApBuVHnOpU3m q1Q0w+8jr/V0iTw2E7KJdU5yulwtlc+Q5ZxtYLKg= X-Riseup-User-ID: 1D3776E9531CA08048CF1851B3F4735A6B493F30E3D9750AA36496E59EB6D934 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews02-sea.riseup.net (Postfix) with ESMTPSA id 4X8fCR4hPWzFvxP; Thu, 19 Sep 2024 15:12:51 +0000 (UTC) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 19 Sep 2024 15:12:50 +0000 Message-Id: Subject: Re: Discussion - Is Alpine Linux still a more secure Linux Distribution compared to its compatriots From: "REDACTED" To: , "~alpine/users" <~alpine/users@lists.alpinelinux.org> References: In-Reply-To: On Wed Sep 18, 2024 at 6:38 AM PDT, wrote: > So the point of discussion is, does Alpine still offer in terms of > security that the other distros dont? Or have the other distros caught > up with Alpine Linux? Should Alpine be considered as more secure or > equal secure compared to its peers like Debian, Ubuntu, Fedora, etc?=20 It's not the business of distro maintainers to get into these comparisons. There's plenty of sites and blogs that get into that stuff, and then you have to decide for yourself whether any of those opinions matter. Whether Alpine is doing, or will do something comes down to some basics: does it make sense for Alpine (ie, fit for small systems), can it be merged in a way that doesn't disrupt what people have running, who's going to do the work, and can it be sustained. Alpine has its opinions in how it's composed. For instance, busybox and musl and openrc. Tradeoffs! Smaller surface and less complex, but fewer eyeballs. On the one hand, we're probably not going to be affected by vulns in glibc, systemd, and so forth. A smaller codebase with a much lower rate of upstream change than other distros *should* yield a less vulnerable base. But this is hypothetical: all software has bugs one way or another, that is the real world. It would probably serve you well to dig through Alpine's gitlab. A lot of the answers you want are almost certainly there, as well as questions you probably didn't know to ask -- many of those also have answers. Some things are left open. For instance, Alpine has not reappointed the security officer position yet. https://gitlab.alpinelinux.org/alpine/tsc/-/issues/63 Or at least, not according to that issue. How much this matters is probably "not much" but it may be of interest to you, along with other things you will discover across the gitlab there. --