[cap-talk] Bundling effords, choosing a platform ? (Plash: Empowering Security)

Mon Apr 7 02:36:38 CDT 2008

On Sun, April 6, 2008 23:05, Toby Murray wrote:

> Introducing Plash
>
> This tool is called Plash [2] and currently runs on Debian-compatible
> Linux distributions such as Debian and Ubuntu [*].

Reading your posting, especially this section on the target platform made
me wonder if one of the reasons that open source efforts on POLP/POLA are
not
picking up could be in the targeting of platforms, and usage of different
ways of distributing to the same platforms.

Thus if we would want to create a wider platform for POLP/POLA, possibly
we would want, as a community, choose a common target OS/distribution to
'safe' :-), or even ultimately even to provide migration paths to a
completely POLA based OS.

Currently for my own open source POLA/POLP projects, I've been targeting
Suse Linux as a result of it being the primary platform that uses
AppArmor. I feel that AppArmor, and thus AppArmor supporting Linux
distributions is much more compatible in its design and overall principles
with discretionary mechanisms than for example SELinux. For this reason, I
would personally think Suse would be the most natural, but with plash
being targeted at debian based distro's, and ubuntu also bundling with
AppArmor, Ubuntu might be a very good alternative also.

I am overall a big fan of the original Debian distribution, especially as
a development platform, but its choice for SELinux instead of AppArmor
seems like a bit of an obstacle. Thus if for example Etch would be the
chosen platform, providing and maintaining a package that would replace
SELinux by AppArmor would seem essential. Possibly other projects have
similar considerations, or dependencies not directly met by standard
packages.
This would mean that we should also provide and maintain packages for
those dependencies, and put all packages on some common repository for
the chosen platform.

While other notable projects have focussed on being cross-platform at the
OS level, by choosing for platforms like the java virtual machine or the
gecko platform, I still feel there might potentially be much to gain by
(partially) dropping the broad range of platforms supported, and putting
effort on interaction with other projects working on a chosen 'savable'
platform, like for example Plash or AppArmor and possibly MinorFs.
Next to this, bundling also the java and gecko based projects as rpm or deb
packages, and placing them on a common repository might further decrease the
threshold for people to start trying POLP/POLA and capability mechanisms
and possibly gain a beter understanding and apreciation for what it can
offer.

I would really like to know how others, especially others working on or
author of open source POLP/POLA efforts (including those for Java and
Gecko platforms) would feel about choosing a common OS/distro to
consolidate our efforts on, and to for that distro build a repository
holding packages for our projects and for all dependencies not met by the
standard repositories.

Further I would be interested in hearing from the OS people what their
thoughts are on such bundling, and on the possibility of themselves using
such a platform as part of a migration path.

If we can agree on a common platform, I would be willing to put some effort
in setting up the repository and maintaining some common dependency packages
if needed.

Rob