You are not logged in.

#1 2016-05-07 19:23:37

mogi
New Member
Registered: 2016-05-01
Posts: 3

Bunsen Labs and the Mainstream

I have been a longtime admirer of the CrunchBang distribution and now BunsenLabs, because I like the efficient utilization of the desktop and low overhead on the CPU. To date, I have only had these distros installed as a Virtual Machine and I really want to take the next step of using BunsenLabs as my distribution of choice on a daily basis. The reason I never made CrunchBang, or BunsenLabs for that matter, my work system (and always stayed with large mainstream distros), is because of my paranoia that the smaller distributions do not have as many sets of eyes on them, and the threat that the smaller distributions might have some nefarious software integrated into the distribution.

As I am sure many of you are aware, we need only look back to February, 2016 for an example of malware making its way into a Linux distribution as demonstrated when the Linux Mint distribution was compromised reference: http://blog.linuxmint.com/?p=2994

Here are my questions:

1. Is there a plan to get the BunsenLabs desktop environment integrated into the mainstream Debian Distribution or is the plan for BunsenLabs to always be a standalone distribution?

2. What safeguards exist or are planned to prevent an evildoer from injecting surreptitious access points, covert access, or other harmful nefarious code into BunsenLabs?

Unfortunately, I am not a coder and would not be able to determine whether or not any given piece of code was secure.

Thank you.
Mogi

Offline

#2 2016-05-07 19:40:35

damo
....moderator....
Registered: 2015-08-20
Posts: 5,823

Re: Bunsen Labs and the Mainstream

BunsenLabs is built from Debian Stable, so if something nasty gets in to Debian then you are in trouble. The likelihood of that though is pretty minute. Any BL-specific packages have been built from reputable sources or backported from Debian, so the same applies. If you are unwilling to trust Debian then who are you going to trust?

BL scripts are simple bash or python scripts, so are open to anyone to look at. If you can't understand the code then I can't see a way for you to be reassured.

The only contributors to the BL scripts and packages are the few BL devs. If you can't trust us then why would you trust large commercial organisations like RedHat and Canonical, who are producing major mainstream distros with thousands of contributors to the code?

Many of us have been running #!, and now BL, for many years, with no security issues due to the distro.


Be Excellent to Each Other...
The Bunsenlabs Lithium Desktop » Here
FORUM RULES and posting guidelines «» Help page for forum post formatting
Artwork on DeviantArt  «» BunsenLabs on DeviantArt

Offline

#3 2016-05-07 22:17:31

ohnonot
...again
Registered: 2015-09-29
Posts: 4,405
Website

Re: Bunsen Labs and the Mainstream

about what happened to linux mint, i hear that wordpress was where the hackers gained access to replace a good .iso with an infested one.

wordpress is notorious for being unsafe.

i have full confidence in bunsenlabbers choices of web content software, and their ability to maintain it.
so that's one attack vector eliminated.

but BL is really mostly debian, and the few extra packages are easy to keep an eye on.

Offline

#4 2016-05-08 06:20:42

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,675

Re: Bunsen Labs and the Mainstream

mogi wrote:

1. Is there a plan to get the BunsenLabs desktop environment integrated into the mainstream Debian Distribution or is the plan for BunsenLabs to always be a standalone distribution?

Seems like Too Much Work at this point. Personally, I'd be not interested in playing with the slowness of their development cycle. It'd also mean we'd no longer be able to make adjustments as we see fit.

2. What safeguards exist or are planned to prevent an evildoer from injecting surreptitious access points, covert access, or other harmful nefarious code into BunsenLabs?

Our releases are securely signed with a public PGP key. You can find the signatures on the download page as well as in our Github repositories. The public key is available in the apt keyring of every BL release hitherto deployed, at pkg.bunsenlabs.org or on the keyserver.ubuntu.com key server, as well as every other key server that mirrors the Ubuntu one. For securing our systems, I follow best practices and am being paranoid.


Wahllos schlägt das Schicksal zu / heute ich und morgen du.

Online

#5 2016-05-11 18:49:53

mogi
New Member
Registered: 2016-05-01
Posts: 3

Re: Bunsen Labs and the Mainstream

Thank you all for the details and insight.

Offline

#6 2016-05-12 15:58:59

Cellular-Decay
Member
Registered: 2016-04-28
Posts: 8

Re: Bunsen Labs and the Mainstream

Technically the Mint code was not the attack vector, it was their website, and only the direct download of one ISO. I've been running Mint on and off as my main OS for more than ten years and always used the torrent download option, which was never compromised. I still have full confidence in Linux Mint and I'm still using it (typing this reply from Mint as a matter of fact).

While your fears aren't entirely without merit, they are overly pessimistic. Only one security issue in ten years is quite a bit better than Microsoft, or even Apple (and don't get me started on banks and credit cards)!

I also used #! on my old Netbook to get me through a year of college. Loved that distro on the little Netbook! It was so light and fast. Started playing with BL-Hydrogen a few months ago and it's bringing back fond memories and reminding me how nice a lean distro can be. Based on the polish and support I have seen here I have no fears about using BL Linux as a primary OS.

Offline

#7 2016-05-12 17:38:19

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Bunsen Labs and the Mainstream

In the interests of balance:

Cellular-Decay wrote:

Only one security issue in ten years

Mint does not release security advisories at all.

Hence, the number of security issues suffered by Mint is unknown but highly likely to be non-zero.

Users who have any concerns about security would be better advised to install Debian stable smile


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#8 2016-05-12 21:49:22

hhh
Meep!
Registered: 2015-09-17
Posts: 9,280
Website

Re: Bunsen Labs and the Mainstream

twoion wrote:

Seems like Too Much Work at this point. Personally, I'd be not interested in playing with the slowness of their development cycle. It'd also mean we'd no longer be able to make adjustments as we see fit.

I agree. Plus, as long as we include non-free packages our ISOs will always be considered "unofficial".

However, we were just invited to join the Debian Derivatives Census, which I'm sure we will.

Offline

Board footer

Powered by FluxBB