~alpine/users

10 7

Discussion - Is Alpine Linux still a more secure Linux Distribution compared to its compatriots

Details
Message ID
<O74GIpz--B-9@tuta.io>
DKIM signature
missing
Download raw message
One of the claims to fame for Alpine Linux has been its security. In Alpine Linux About page it is mentioned that Alpine is a 
"Linuxdistribution designed for power users who appreciate security, simplicityand resource efficiency." 

In wider Linux Ecosystem Alpine is known for its focus on security. i.e. it was among the very first distributions to enable PIE and Stack Smashing prevention flags for its packages. While other distros dithered Alpine Linux forged ahead with security as one of its primary goal. But over the past few years the situation has changed. Other distros, like Debian/Ubunutu/Fedora have come close if not surpassed Alpine Linux in terms of security. For example Debian and Ubuntu now have started packaging most if not all of their binaries with PIE, Stack Smashing prevention, full Relocation Read-Only (RELRO) enabled, etc. 

So the point of discussion is, does Alpine still offer in terms of security that the other distros dont? Or have the other distros caught up with Alpine Linux? Should Alpine be considered as more secure or equal secure compared to its peers like Debian, Ubuntu, Fedora, etc? 

I am not saying that Alpine Linux should not be chosen. Nor am I questioning anyone's choice of selecting Alpine Linux. Nor am I trying to say that Alpine Linux is no longer relevant. It is a good distro with minimal footprint, fast execution, fast bootup and ability to build on top of its base install.  I just want the community which builds Alpine Linux to say what they think about security in Alpine Linux. 

-- 
Aficionado
Details
Message ID
<5ed4f8e4e4952161908a9d9f25aaf10283159264.camel@riseup.net>
In-Reply-To
<O74GIpz--B-9@tuta.io> (view parent)
DKIM signature
missing
Download raw message
On Wed, 2024-09-18 at 15:38 +0200, kdmw.629@tuta.io wrote:
> Should Alpine be considered as more secure or equal secure compared to
> its peers like Debian, Ubuntu, Fedora, etc?

Hi,

security has almost nothing to do with the distribution used. Security
depends almost exclusively on the user. The best security measures that
a distribution may offer are of no use if the user uses them
incorrectly.

It also depends on what you want to protect, how and from whom. 

I don't care much about security ( xhost + ;), since you can't get
anything from my computer (Arch Linux) for everyday private work or
destroy or make anything important inaccessible.

Apropos Arch Linux. I don't know how BlackArch compares to
https://www.kali.org/ .

"BlackArch Linux is an Arch Linux-based penetration testing distribution
for penetration testers and security researchers." - https://blackarch.org/

Consider attacking your own server to check for security flaws.

Or if you are a desktop computer user, consider just to learn, how to
avoid common mistakes, e.g. those related to OpenPGP usage.
Misconceptions related to TOR etc. ppp.

Update your machine from official repos of your distribution. Don't use
1000 containers, each for each single app, all with 1000 different
library versions of the same libraries, better use non-containerised
apps sharing a single version of each library.

Consider to either follow the security tracker of your distro and/or
install a helper. Arch Linux for example provides
https://gitlab.archlinux.org/archlinux/arch-audit .

Etc. ppp., it is pointless to give tips or even express opinions without
knowing what you want to protect, why and from whom.

Regards,
Ralf
Details
Message ID
<b2cd80332ea09b1d76825b78598c270debc72821.camel@riseup.net>
In-Reply-To
<5ed4f8e4e4952161908a9d9f25aaf10283159264.camel@riseup.net> (view parent)
DKIM signature
missing
Download raw message
PS

On Wed, 2024-09-18 at 16:54 +0200, Ralf Mardorf wrote:
> On Wed, 2024-09-18 at 15:38 +0200, kdmw.629@tuta.io wrote:
> > Should Alpine be considered as more secure or equal secure compared
> > to its peers like Debian, Ubuntu, Fedora, etc?
                              ^^^^^^

It's important to understand the policy of a used distro, e.g. related
to repository components. Ubuntu is an excellent example:

"[snip]
Main

The main component contains applications that are free software [snip]
and that the Ubuntu security and distribution team are willing to
support. When you install software from the main component, you are
assured that the software will come with security updates and that
commercial technical support is available from Canonical.

Restricted

[snip] Please note that it may not be possible to provide complete
support for this software because we are unable to fix the software
ourselves [snip]

Universe

[snip] Canonical does not provide a guarantee of regular security
updates for software in the universe component [snip]

Multiverse

The multiverse component [snip] is not supported and usually cannot be
fixed or updated. Use it at your own risk.
[snip]" - https://help.ubuntu.com/community/Repositories
Details
Message ID
<a10bf73ab7d3fc9c1143159adf9821ab7e76b693.camel@riseup.net>
In-Reply-To
<b2cd80332ea09b1d76825b78598c270debc72821.camel@riseup.net> (view parent)
DKIM signature
missing
Download raw message
PPS:

I was struggling with whether or not to write it. the following is not
meant as a silly joke, nor as a political statement.

Which is safer, a smartphone or a pager?

What I'm getting at is that the biggest security flaw of all is
believing that there is a best solution.
Details
Message ID
<O77otH---B-9@tuta.io>
In-Reply-To
<a10bf73ab7d3fc9c1143159adf9821ab7e76b693.camel@riseup.net> (view parent)
DKIM signature
missing
Download raw message
If the aim is to prevent tracking and be a little more secure in terms of interception of communications then pagers might be good alternatives. Especially if two way communications is not required. Sort of a top-down broadcast messaging approach. 

A smartphone can also be safe provided it is not built by FBI sponsored shell company and touted as a secure encrypted device. If we do not want to be tracked on a smartphone, remove the installed OS and use a mod. Keep Bluetooth, Location and Wifi off. Use only signal or telegram and talk in code even on signal or telegram. 

However this is a discussion about Linux distros. The point that I was trying to make was that other Distros have caught up or in certain aspects gone past Alpine Linux OOTB in terms of security. And the distro selection plays an important role. Many of us do not want to compile the Kernel only for the hardware required with the GCC flags targeted towards one particular generation of CPU architecture, like Zen, Tiger Lake, Silver Lake, etc. Many users want to start with something similar to Alpine Linux standard and then built on top of that.

So if that is the case is there something additional in terms of security that Alpine Linux does that other distros do not do which make it stand out? This is just for information. 

I am not saying Alpine Linux should not be selected or it does not offer something. Nor am I challenging anyone's decision to use Alpine Linux. It is a good distro. And the decision to use Alpine Linux over say Debain/Fedora/Ubuntu is a good decision to make. 

-- 
Aficionado

Sep 18, 2024, 21:11 by ralf-mardorf@riseup.net:

> PPS:
>
> I was struggling with whether or not to write it. the following is not
> meant as a silly joke, nor as a political statement.
>
> Which is safer, a smartphone or a pager?
>
> What I'm getting at is that the biggest security flaw of all is
> believing that there is a best solution.
>
Details
Message ID
<7a939fb0be5dcf4bc9501d7eb62fce306f84979b.camel@riseup.net>
In-Reply-To
<O77otH---B-9@tuta.io> (view parent)
DKIM signature
missing
Download raw message
On Thu, 2024-09-19 at 07:48 +0200, kdmw.629@tuta.io wrote:
> And the decision to use Alpine Linux over say Debain/Fedora/Ubuntu is
> a good decision to make.

Doesn't it depend on the purpose?
How qualified or unskilled is the user?
What is the intended use? Server, Router, Desktop ...?
What exactly needs to be secured? Data, privacy, your health ...?
Who are you and who is the potential attacker?
Does it even matter what init system is used? If so, why?
Or to put it another way, is it better to use what most security teams
focus on, but probably also what most attackers focus on, or is it
better to use something that is under the development of a minority, but
perhaps less in the focus of attackers?
Some of these questions can be answered clearly, while others can only
be guessed at, which can unfortunately be completely wrong.

If you can install explosive charges in thousands of pagers, then you
can also install GPS trackers instead or in addition. So you can also
potentially track a pager.
And this reason, user, attacker chain is valid for everything, including
the choice of Linux distro.
Details
Message ID
<D4ACWC7305LF.2DM29SENIP4GF@riseup.net>
In-Reply-To
<O74GIpz--B-9@tuta.io> (view parent)
DKIM signature
missing
Download raw message
On Wed Sep 18, 2024 at 6:38 AM PDT,  wrote:
> So the point of discussion is, does Alpine still offer in terms of
> security that the other distros dont? Or have the other distros caught
> up with Alpine Linux? Should Alpine be considered as more secure or
> equal secure compared to its peers like Debian, Ubuntu, Fedora, etc? 

It's not the business of distro maintainers to get into these
comparisons. There's plenty of sites and blogs that get into that stuff,
and then you have to decide for yourself whether any of those opinions
matter.

Whether Alpine is doing, or will do something comes down to some basics:
does it make sense for Alpine (ie, fit for small systems), can it be
merged in a way that doesn't disrupt what people have running, who's
going to do the work, and can it be sustained.

Alpine has its opinions in how it's composed. For instance, busybox and
musl and openrc. Tradeoffs!  Smaller surface and less complex, but fewer
eyeballs. On the one hand, we're probably not going to be affected by
vulns in glibc, systemd, and so forth. A smaller codebase with a much
lower rate of upstream change than other distros *should* yield a less
vulnerable base. But this is hypothetical: all software has bugs one way
or another, that is the real world.

It would probably serve you well to dig through Alpine's gitlab. A lot
of the answers you want are almost certainly there, as well as questions
you probably didn't know to ask -- many of those also have answers.

Some things are left open.

For instance, Alpine has not reappointed the security officer position
yet. https://gitlab.alpinelinux.org/alpine/tsc/-/issues/63

Or at least, not according to that issue. How much this matters is
probably "not much" but it may be of interest to you, along with other
things you will discover across the gitlab there.

--
Jeffrey Walton <noloader@gmail.com>
Details
Message ID
<CAH8yC8nshCNg5S0PqbndjDvLjow5wSi3BmTwDnv0yrg8bZGJ1w@mail.gmail.com>
In-Reply-To
<D4ACWC7305LF.2DM29SENIP4GF@riseup.net> (view parent)
DKIM signature
missing
Download raw message
On Thu, Sep 19, 2024 at 11:13 AM REDACTED <palisade@riseup.net> wrote:
>
> On Wed Sep 18, 2024 at 6:38 AM PDT,  wrote:
> > So the point of discussion is, does Alpine still offer in terms of
> > security that the other distros dont? Or have the other distros caught
> > up with Alpine Linux? Should Alpine be considered as more secure or
> > equal secure compared to its peers like Debian, Ubuntu, Fedora, etc?
>
> [...]
> Whether Alpine is doing, or will do something comes down to some basics:
> does it make sense for Alpine (ie, fit for small systems), can it be
> merged in a way that doesn't disrupt what people have running, who's
> going to do the work, and can it be sustained.
>
> Alpine has its opinions in how it's composed. For instance, busybox and
> musl and openrc. Tradeoffs!  Smaller surface and less complex, but fewer
> eyeballs. On the one hand, we're probably not going to be affected by
> vulns in glibc, systemd, and so forth. A smaller codebase with a much
> lower rate of upstream change than other distros *should* yield a less
> vulnerable base. But this is hypothetical: all software has bugs one way
> or another, that is the real world.

One datapoint from my $dayjob... Alpine is used for container
instances because it has a small footprint, and it is best-in-class
with respect to vulnerability scanner results. I.e., it has the fewest
findings from known exploits. This is compared with other popular
distros like Debian and Ubuntu.

However, I have not seen a comparison of Alpine and Fedora. I've asked
SecDevOps to perform the Fedora scan for comparison, but it has not
happened. And I have also not seen a comparison with a distro running
gresecurity patches, like Gentoo.

The dev teams don't always like Alpine because it is often missing
Python packages they need. The devs complain they have to
build/install/package what they need.

Jeff
Details
Message ID
<D4ADNXU807D8.B3F6UE7PL67Q@pwned.life>
In-Reply-To
<CAH8yC8nshCNg5S0PqbndjDvLjow5wSi3BmTwDnv0yrg8bZGJ1w@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
> The dev teams don't always like Alpine because it is often missing
> Python packages they need. The devs complain they have to
> build/install/package what they need.

Huh, interesting. Did not heard that before. From what I can say is that
Alpine has a lot of python packages and I mostly don't miss anything,
much less than from other distributions like Debian.

But if you do, you can always use venv's for that, but then, of course,
you miss out on a lot of security features.
Bjoern Franke <bjo@schafweide.org>
Details
Message ID
<42ae97cb-f16a-4eeb-a519-d40de33bb631@schafweide.org>
In-Reply-To
<CAH8yC8nshCNg5S0PqbndjDvLjow5wSi3BmTwDnv0yrg8bZGJ1w@mail.gmail.com> (view parent)
DKIM signature
missing
Download raw message
Hi,

> One datapoint from my $dayjob... Alpine is used for container
> instances because it has a small footprint, and it is best-in-class
> with respect to vulnerability scanner results. I.e., it has the fewest
> findings from known exploits. This is compared with other popular
> distros like Debian and Ubuntu.
> 

I'm surprised that this aspect wasn't mentioned earlier. Some time ago 
at $dayjob we compared the Nextcloud Docker images, the Debian based one 
and the Alpine based one, with trivy. I don't recall the numbers in 
detail any more, but while trivy found dozens of vulnerabilities in the 
Debian image, there were nearly 0 in the Alpine image. Several 
vulnerabilities didn't even have Debian Security Advisories assigned.

Regards
Bjoern
Страхиња Радић <sr@strahinja.org>
Details
Message ID
<a4pp3scglo54gjzcbv44llz5pqw3yvsca5zfu4jeqpd2gxngb7@nsf6evjvuyen>
In-Reply-To
<O77otH---B-9@tuta.io> (view parent)
DKIM signature
missing
Download raw message
Дана 24/09/19 07:48AM, kdmw.629@tuta.io написа:
> A smartphone can also be safe

It can't, by its nature and design. Wireless (WiFi and "mobile data")
transmission is much easier to eavesdrop on, and is inherently
insecure. All smartphones are surveillance devices.


> Use only signal or telegram

Both insecure, because they use centralized servers, which can collect
all the data. Something like the P2P Tox protocol, with real end-to-end
encryption, is better in terms of security, but still not ideal. As 
someone replied, there is no absolute security.


> and talk in code even on signal or telegram

This is one of the oldest forms of encryption,[1] which is also perhaps
the easiest to crack.


[1]: https://en.wikipedia.org/wiki/Encryption#Ancient
Reply to thread Export thread (mbox)