cobratbq - cranky-by-design

I'm constantly having trouble discovering what #debian's #security story is supposed to be.

They claim updates keep secure, except #backports doesn't give any guarantees for security. But then you have package 'tor": updates provide old version with risks, while backports provide up-to-date version.

#AppArmor is provided but most profiles aren't up-to-date so enforcing is risky. Ubuntu restricts unprivileged-unconfined apps to prevent unnecessarily exposing some vulnerabilities. Debian doesn't

Feb 25 at 1:01amTusky
Show threadcobratbq - cranky-by-designFeb 25

Debian security/hardening guide claims 'harden' packages, but those don't exist anymore. There isn't really up-to-date information that's reliable and feels like you're hardening and end up with a solid linux installation.

Look, I get that debian wishes to update apps that have vulnerabilities. That's noble. But it seems inconsistent. Frankly, I expected more.

Show threadcobratbq - cranky-by-designFeb 27
Okay, so there are some 'unconfined'-style profiles which are constructed only for the extraordinary privileges and are otherwise granted "all" permissions (within reason). Those cannot be simply set to 'enforcing'.
That's a mistake on my side.
Show threadcobratbq - cranky-by-designFeb 27

I don't understand why some profiles are on 'complain' though. Is there not really the interest to enforce restrictions? Otherwise, is it deemed unnecessary? Though I don't think that's the case from what I read.

In general, I am still confused on Debian's security intentions. Note: I do not claim malicious intent. Just that e.g. Ubuntu is very clear on their intentions w.r.t. security and I don't get a single direction either way from Debian.