But it's not perfect: https://madaidans-insecurities.github.io/openbsd.html
See also https://madaidans-insecurities.github.io/linux.html

I think it may be some type of a discord of another nature like following:

If we look at OpenBSD community and talk to them, we will know that they prohibit USA citizens to work on OBSD crypto at least because of USA export restrictions on cryptography, they see Linux sponsors often being controlled by USA and NSA, they recommend to NOT use Libreboot and GNU code as it may be infected by hardly visible NSA backdoors. The most obvious backdoor is systemD, btw.

I think such open source GNU backdoors are targeted at modern hardware closed source trojans, UEFI plugins and other bootkits. But then OpenBSD may include some software backdoors from GB MI5/MI6?

If we look at american Whonix they promote Linux, undocumented security patches by @anthrax and GNU software welcomed by NSA.

Of course I may be wrong, just an idea.

Also add here China (often sponsored by London) vs USA commercial collisions (if they are not just a political theater).

bimon wrote:

I wonder how is it possible to use such a distro in production

Well Alpine is very popular indeed, it's the default image for Docker. And it's fundamentally incompatible with systemd thanks to the musl libc base.

For a standalone usage on physical hosts without local or remote ZFS root would not it be good to have a verification of earlier installed files?

Even with a root placed to ZFS directly or to extX over zvol verification of installed files in a package manager is still very convenient as a first place to check installation integrity and see at least which config files were changed from their default state since packages installed.

I wonder how is it possible to use such a distro in production

Well Alpine is very popular indeed, it's the default image for Docker. And it's fundamentally incompatible with systemd thanks to the musl libc base.

Individual packages can be verified after installation:

apk verify $package

It seems that this command verifies only a package signature, but NOT checksums of the files already installed earlier? I wonder how is it possible to use such a distro in production, all serious distros like Debian apt, RH yum, Arch pacman and even Gentoo allow to verify earlier installed files.

Good notice, I did not try to build software written in relatively low level languages like C on Alpine Linux. Though using Alpine just as a KVM hypervisor host seems workable idea to me if for some unfortunate reason sometimes we do not have our lovely Devuan for that purpose and if even Slackware/Salix stalls its development. Alpine looks being very actively developing in spite of any problems in other systemd free distros.

Sure Alpine package integrity is verified before installation, but after files have been installed how to verify them once again say like by

wajig integrity

in Devuan?

Individual packages can be verified after installation:

apk verify $package

Have you actually tried building much software from source using a musl libc base? Most software is intended for use with GNU's bloated libc variant and so might not compile under musl without patching.

Yes but it is irritating to have to disable services after installing packages. And it's spelled "systemd" btw, it doesn't end with a capital "d".

Yes indeed, unlike the Linux devs the developers of that operating system prioritise security over shiny new features.

But it's not perfect: https://madaidans-insecurities.github.io/openbsd.html

See also https://madaidans-insecurities.github.io/linux.html

AppArmor is enabled by default for Debian buster and I think Devuan's beowulf release will also follow that path.

Sure Alpine package integrity is verified before installation, but after files have been installed how to verify them once again say like by

wajig integrity

in Devuan?

You could use something like this:
https://packages.debian.org/stable/fcheck

I think the best way to use this would be to scan the system while it's offline by using a live USB Devuan, with the database also stored on an external drive.

Phil

Arch is similar to OpenBSD in that respect — no services are enabled automatically, unlike Devuan & Debian.

I can easily configure services in any distro free from systemD, it is relatively non time consuming task, example (Devuan ASCII):

But there is much more security in OpenBSD, then just minimum amount of services, if I would compare OpenBSD to Linux I would mention at least following manual config actions for Linux needed:

Kernel needs to be Libre and sometimes patches needed with many compile time and startup time options for enabling different security settings.
Need to configure AppArmor.
Settings in sysctl
/etc/ configs of services often need to be customized for better security.

Alpine Linux do offer an edge branch which is rolling but their stable release schedule is about every six months.

At least Alpine keeps packages from earlier releases so that it is possible to switch config to them or manually download them if needed.

Rolling distros not keeping earlier versions of packages are hardly suitable for production usage especially on physical hosts.

On virtual host it is easier to fix rolling installation especially if using host's ZFS zvol with snapshots for a guest file system.

Sure Alpine package integrity is verified before installation, but after files have been installed how to verify them once again say like by

wajig integrity

in Devuan?

It seems to miss binary compatibility with other distros which is not convenient but at least overcomeable by building from source.

Btw, is it possible to rebuild a complete workable subset (like for a mini debootstrap) of Devuan/Debian packages for i586?

I don't think so but I may be wrong.

Arch is similar to OpenBSD in that respect — no services are enabled automatically, unlike Devuan & Debian.

But the main problem with security in GNU/Linux is that the kernel devs just don't give a damn: https://lkml.org/lkml/2008/7/14/465

Alpine Linux do offer an edge branch which is rolling but their stable release schedule is about every six months. They do sign their repositories though and apk verifies the packages before installation. Alpine Linux rocks but the musl libc base might prove slightly limiting.

Main OS: Devuan, OpenBSD (non Linux)
Alternative main OS: Alpine, Salix
Guest OS: ^above, Parabola, Gentoo, GUIX

All mentioned above distributions except OpenBSD and GUIX support at least OpenRC init system, and some of them provide more options for their init system. None of them forces you to use systemD without your choice.
So OpenRC is supported in: Devuan, Alpine, Salix (Slackware), Parabola and Gentoo.

Devuan, Alpine, Salix and OpenBSD have release model suitable for stability in production usage.
Parabola and Gentoo are rolling distributions without release cycles, so they provide more recent, fresh versions of the software but not always stable enough, therefore they are only good for experimenting, e.g. as VM guests.

Legacy usable OS: Debian v4-v7, RH/Centos v4-v6
Unusable shit OS: any distro nailed to systemD without a choice to replace it with something else like OpenRC or at least sysv.

I have found only a very few of distros convenient for myself:

Universal OS (e.g. for host): Devuan, OpenBSD
Guest OS (less stable, rolling): Parabola, Gentoo, GUIX

It seems for Linux based virtualization hosts  only Devuan is suitable IMHO.
But it would be better to have a backup path having one more distro to be on the safe side.
It shall be very stable not rolling, I guess Slackware Salix could be good, but it lacks a feature to verify installed files:
https://wiki.archlinux.org/index.php/Pa … and_repair

Unfortunately I do not know any other stable Linux distros except Devuan and Slackware Salix free of systemD.

Alpine seems to be less rolling than Arch/Parabola but it lacks installed files verification too.

What makes you think Gentoo is more secure than Devuan? Their PaX integration is no longer officially supported now that grsecurity have moved to a paying model.

Gentoo still has a so called hardened profile though without PAX. It is most likely a set of some compiler options.

I wonder if Devuan security level is worse than Gentoo hardened profile?

Btw, is it possible to rebuild a complete workable subset (like for a mini debootstrap) of Devuan/Debian packages for i586? Only for text mode SSH session?
In Gentoo I can rebuild world for i586 (and even for i486).

If we look at https://forums.whonix.org/c/news
there is so much work is done for improving distro security, unfortunately it is based on Debian instead of Devuan.

There are so many hardening manuals for Linux, like for Windows too.
Why not having a Linux distro with default configuration similar to OpenBSD, which is the most secure by default and any custom change would be an opt out of security rather than opt in?

You can build your own kernel with that configuration by following https://kernel-team.pages.debian.net/ke … n-official

What makes you think Gentoo is more secure than Devuan? Their PaX integration is no longer officially supported now that grsecurity have moved to a paying model.

Preferably a Libre variant without BLOBs like this:

https://web.archive.org/web/20200508081 … -hardened/

Is gentoo-hardened still more secure than Devuan when used with the same anthraxx kernel ?