madaidan via Whonix Forum:
I guess the only reliable way is listing all packages installed on the system and reviewing each one. This would be very difficult though. On my Whonix Gateway VM (mostly unmodified), there are 871 installed packages.
That’s it. There’s too many of them. It’s also kinda whack a mole since
dependencies change over time. With that number of packages the process
would have to be at least partially automated.
Then we should read all arguments and form our own conclusion.
Often it doesn’t just require reading all arguments but also outreach,
contacting various people for clarification and/or to trying to make
them talk to each other.
The problem could be reframed. Debian isn’t (a | the most)
security-focused Linux distribution. Under some threat models, Debian is
judged insecure. Issues with Debian then would have to be considered
deeper than technical, i.e. architectural, organizational, ideological
issues. To put it another way (a lot | many | most) (?) Debian
Developers don’t prioritize security over everything else readily
compromising other things such as package availability, features,
usability, etc. That shouldn’t come to a surprise. Debian slogan is “the
universal operating system”. Not “attempting to be the most secure
operating system” and therefore Debian didn’t attract that mindset.
Debian consists of mostly volunteers that need to attend to day jobs
which might arguably not be the best for security either.
Then also upstream distributions can mostly only package available
upstream software but not re-write most. Though, a lot upstream software
was created with priorities and not necessarily highest security in
mind. A lot required functionality is only available through “legacy”
software written in memory-unsafe programming languages. The whole Open
Source software ecosystem was never primarily focused on security to
begin with.
I don’t think these deeper Debian issues can be fixed through technical
solutions at the Whonix level. The solution would instead be to rebase
Whonix on Linux distribution that is actually security-focused. I.e. as
distribution that has these security properties and at the same time no
other issues making it unsuitable. Such as distribution didn’t exist at
the time Whonix was created and might no be existing at this time
either, see:
You might want to become founder of a Linux distribution that is similar
to Debian but explicitly security-focused.
CVEs aren’t that reliable. A project that cares more for security will put more work into finding and fixing vulnerabilities which will make it have more CVEs than a project that doesn’t care for security at all and thus doesn’t attempt to find vulnerabilities.
Agreed. Good to add to wiki.
CVEs can sometimes be useful though as in the case of for example, firejail, it’s evident of a major architectural issue.
More potential criteria:
Good points to explore.
- exploit mitigations - for example, chromium has support for mitigations such as clang CFI which is very rare on Linux
https://www.youtube.com/watch?v=31xA9p3pYE4 didn’t sound promising on
security improvements overall. Quoting freely. “More and more companies
(such as google chrome to pick one example among a trend) move to an
approach where security bug reports are disregarded unless a proof of
concept exploit is being provided. Mitigation methods for bad,
potentially exploitable code are preferred over actual security bug
fixes because there is too much source code, complexity is too high and
the total number of bugs is unmanageable.”