Results 1 to 10 of 10

Thread: Fedora Security Spin

  1. #1
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default Fedora Security Spin

    Hi,

    I was wondering if the developers have heard of Fedora's new security spin. This might be a good way for the BT developers to put the OS work on Fedora and concentrate on the tools. The BT developers won't have to worry about getting the latest firefox update out the door. They can work on getting the new aircrack-ng beta out the door. Granted Fedora is a shorted lived distribution like Intrepid (which is end of life April 2010), but if the developers just concentrate on the tools and let Fedora handle the OS stuff getting a distribution out every year shouldn't be too difficult. Also having RedHat behind you should make getting patches upstream easier thus making your lives easier. I don't want to start a which distribution is better flamewar. I was only wondering if the developers have heard of the proposed distribution and what they thought of it.

    Security Spin - FedoraProject
    I like the bleeding edge, but I don't like blood loss

  2. #2
    Senior Member hypervista's Avatar
    Join Date
    Feb 2010
    Posts
    121

    Default Re: Fedora Security Spin

    I could be wrong, and am merely speculating, but I suspect the developer's decision to switch to Ubuntu was very much driven by the considerations you listed (focus on the tools while relying on a solid distribution mechanism takes care of the underlying OS). While the relative merits of Ubuntu vs Fedora can and have been debated, it's my opinion that Ubuntu is a solid choice for the reasons you outlined.
    Last edited by hypervista; 03-25-2010 at 08:23 PM.

  3. #3
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default Re: Fedora Security Spin

    Please don't get me wrong. I like Ubuntu. My concern is that Intrepid is EOL in April and I don't think BT5 will be ready by then. That isn't a stab at the developers I know they work very hard and ship BT when it is ready and not before. However moving to a long term OS like Centos or Ubuntu LTS frees the developers and users of BT from worrying about the core OS things.
    I like the bleeding edge, but I don't like blood loss

  4. #4
    Member
    Join Date
    Feb 2007
    Posts
    229

    Default Re: Fedora Security Spin

    With lucid officially right around the corner it would probably make sense to use that as a base platform, but as i've learned in my testing environments its a PITA to get stuff ported (properly) from BT into newer distributions without breaking damned near everything. This sort of undertaking would probably require a good deal of recompilation with the new libraries from source for new packaging. which too is no small feat.

  5. #5
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: Fedora Security Spin

    I do hear what you guys are saying but frankly moving to ubuntu was a huge step for us and we will most likely stay with it. The fact is that Linux is Linux under the hood and the Distro really doesnt matter. We have our own custom kernel and we work really hard to make it all work. The apt-get package management system is far superior to Yum in my opinion and all though I use cent os for servers, I think it makes a crappy desktop.

    On the subject of updating, its my experience that most people want to update just to do it. They have no real reason to have the newest and latest firefox other than they think its cool. Most of them couldn't even tell you if there were any exploits for their current version. I do hear what people are saying about ubuntu being slow to update and we are slowly but surely taking over all the packages ourselves so that we can keep up to date. Hopefully in the future the team will grow and we will have more people to maintain packages.

    I am of course not the final word but I am pretty sure that every one on the team would agree that we are pretty comfortable with ubuntu and will probably stick with it.

  6. #6
    Member
    Join Date
    Feb 2007
    Posts
    229

    Default Re: Fedora Security Spin

    Im all for sticking with ubuntu - it has a whole slew of benefits and is generally rather well maintained. I would say that using a non-LTS version as a base for BT may have been a bit of an oversight as canonical is not too good at maintaining these OS'.

    This is why i've been trying to get everything to work with Karmic, but unfortunately package dependencies make it somewhat difficult. When BT became its own distro wholly separate from Ubuntu repos, packages started to have dependencies that conflict with the ones in Canonical's repos. For instance, installing an nvidia driver deb which isnt called nvidia-driver causes the cuda packages to not work, and so forth.

    Once there's a stable kde3 version of 10.04 i'm going to put some time into porting stuff over for testing, keep notes, and submit what i find to the devs for consideration. I do a lot of ubuntu work anyway, presently using a pretty customized karmic build for XenServer domU to run some of the company services (the devs are all for, so why not).

    The primary issues that arise with this sort of thing are actually python related - karmic runs on python 2.6, and once you start piling in a lot of python versions it turns into a mess as site-packages and the like become muddled. I would probably try to go with the newest rev of python first in the OS and install everything else after, thus keeping site packages cleaner. Unfortunately i would need the source packages for all the BT specific stuff in order to re-package for the new python install. Another related issue is the difference in GCC versions - karmic runs on 4.4 whereas we use 4.3, not sure about Lucid

    Pureh@te, do you think the dev team would be amenable to something like that? I know i cant submit a finished product to the team, but i can write up full procedures to have the repeated in house from sources i've not touched (and not tainted with backdoors and all the other things that other users would be concerned about). I also know you guys use a lot of your own packaging tools and i'd love to learn how to package some of the more complex things as i've had some trouble packaging cmake and python sourced packages before.

  7. #7
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    9

    Default

    Switching to Fedora still isn't going to solve the LTS issue. Fedora EOL's their releases approximately 13 months after their initial release. The official timeline is Release X+2 + 1 Month

    I am a regular CentOS and Fedora user and I will agree with pureh@te that CentOS doesn't really make for a good desktop.

    Ubuntu's next release 10.04 is going to be their next LTS and will be supported for 3 years.

    Forgot to mention:
    RHEL 6 (eventually CentOS 6) is quickly turning into the same launch table as Duke Nukem Forever
    Last edited by Picch; 03-28-2010 at 11:37 AM.

  8. #8
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default Re: Fedora Security Spin

    Ubuntu is a good distribution, a little slow to release updates, but still good. The current kernel is fine with me. I don't trust ext4 yet. My Edimax wireless (USB) works fine in BT4. USB3 support would be nice as I will be getting an external portable USB3 hard drive in 2 months but it won't be used for backtrack, it will be the drive I backup my data to.

    I want the current version of firefox as I use BT4 as a teaching tool. I don't have the luxury of having multiple pcs per student. So when my students are doing their labs they are surfing around looking for answers. Two semesters ago I did have an enterprising student setup a man in the middle attack on a student PC. The instructors PC is on a different network. The short version was he used a firefox exploit to plant a file on another students hard drive. They were friends so there wasn't a problem. It was funny to explain to the others that a security toolset like BT doesn't stay current which is a shame as the consequences are obvious. I don't want the latest version just to have the latest version. I want the latest version as closes security holes and/or fixes bugs. If it has a really cool new feature I will download the source and compile it if I need it.

    I think LucidLynx will be a good base for BT5. It is a Long term support OS so we should get 3 years from the estimated release date.

    Keep up the good work.
    I like the bleeding edge, but I don't like blood loss

  9. #9
    Just burned his ISO
    Join Date
    Mar 2010
    Location
    /root
    Posts
    20

    Default Re: Fedora Security Spin

    Correct me if I'm wrong, but as I recall, a lot of the decision to use Ubuntu 8.10 specifically came from it being the last Ubuntu to support KDE 3.5.x. I have no clue how that would get worked out in Lucid, especially given that KDE 4 is still a ways from being fully reliable (though it does function pretty well as a day to day desktop on one of my boxes).

    Regarding Fedora, I agree with pureh@te, yum is garbage compared to apt (from my experience), just as .deb has consistently been better for me than .rpm. Also, while there are justifiable reasons to want the latest and greatest versions of a pentesting tool, everyday software like Firefox will not change your life after upgrading it to 3.7, and actually, in this case, might break some add-ons.

    If any distro switch is in order, I'd say switch to Debian Stable or Testing, as their security team and stability are both excellent, and the Backtrack team takes care of updating the important stuff anyway. I know Ubuntu's all the rage lately, but I've still encountered many pitfalls with it that Debian adeptly dodges. Just my 2 cents.

  10. #10
    Member
    Join Date
    Feb 2007
    Posts
    229

    Default Re: Fedora Security Spin

    Actually 8.10 is a KDE4 OS in kubuntu form, but where there is a kubuntu, there is a kubuntu-kde3 care of the kde3 maintainers (personcomputing and the like). Thats not such a big problem actually, i use their repo for my kde3 stuff, and it works great (devs had a problem with it way back when if i remember correctly and it was a major part of the reason for a whole repo of their own).

    Debian is great, slow to update though IMHO, and third party support for ubuntu is awesome.

    In terms of a full port, i'm looking into it, taking some notes. i want to see lucid in kde3 first to see if i can use their build, or if the meta-packages will make it hellish in which case i'll need to do some very tedious BS just to get the best OS in order. As for upgrading, there are some solid reasons. For one, it might be a chance to go 64bit. Secondly, GCC, libc6, etc have all moved on and using third party software (we all do it damnit, dont lie, unless you're still brand new to this) is getting harder.

    Fedora's upstart sec distro may bring some good packages to the table, i'm all for, alien the hell out of em, reverse engineer, and adapt to our own uses. No reason to switch EVERYTHING to another distribution that's younger than this.

    Oh, and kudos on the "adept" wordplay there .

Similar Threads

  1. multi boot Win7 - Fedora - BT4
    By ozit1 in forum Beginners Forum
    Replies: 3
    Last Post: 06-09-2010, 11:34 PM
  2. Replies: 0
    Last Post: 03-20-2010, 01:13 AM
  3. Wireless Security
    By Modify_inc in forum Beginners Forum
    Replies: 10
    Last Post: 02-11-2010, 01:27 AM
  4. home network security pen test
    By cale_doses in forum Beginners Forum
    Replies: 4
    Last Post: 02-05-2010, 10:42 AM
  5. Replies: 4
    Last Post: 01-15-2010, 08:48 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •