Debian SbD
Plan of Action

As with any good project, a good plan of action is needed. Also as with any good project, D:SbD started with this only partially planned out. The course to be taken may change as needed; but here is found the basic path we will take.

Phase 1

Informing the Masses

Status: Complete

In Phase 1, web content supplying a brief description of each system to be implemented is created and displayed on the D:SbD web site. This information is accompanied by links to outside resources which supply more information about these systems. Three types of information are supplied.

The first type of information supplied is web content. Web pages are created which give a brief overview of each system and supply links to other content such as more information about each system, examples of deployment, and data to facilitate the reproduction of a test environment for each system.

The second type of information is reproduction data. This data may be included in the web content. It gives developers enough data to create an environment containing protected executables. Developers can use this data to create a fully secured environment, although no implementation aid may be given to facilitate such large scale deployment.

The third type of information supplied is links to external data. These links allow persons taking an interest in the project to gather more information about each security feature. The links are part of the web content; and the data itself is the works of others, not of the D:SbD project.

Informing the reader that these things are "out there" is an important first step in gaining the reader's support, whether he be a Debian maintainer or a user who would like to support the project simply by taking interest.

Phase 2

Gathering External Support

Status: Underway

D:SbD will need the support of Debian maintainers and other related projects to successfully achieve its goals. This is not an ego-site for a person or a group of people to inflate their presence and proliferate the knowledge of their awesomeness; this is a security project aiming at bringing all security enhancements suitable for general use to Debian. It's not a joke and it's not the place for someone to boost his status.

D:SbD especially needs Debian maintainer support. There will be times when Debian packages need to be rebuilt and repackaged to demonstrate security features. It is important to have interested Debian developers turn their sights to this project and evaluate such packages, so that voices which carry more weight than a random Internet peon who suddenly appeared out of nowhere can confirm the credibility and feasibility of deploying such packages.

The support of other projects is also important. It is not a core focus of D:SbD to implement the changes necessary to Debian to easily and painlessly allow the maintainers to continue maintaining with these added features. This may happen in some cases; but in cases where it does not, other projects will have to fill this void. This may occur directly in Debian's core development structure, or indirectly through another external project.

The Hardened Debian project supplies several useful packages for hardening a system. Many of these, such as hardened kernels supplying PaX and SSP enhanced compilers, are useful for the purposes pursued by D:SbD. For now, the Hardened Debian project hosts an apt repository here.

Phase 3

Largescale Demonstration

Status: Pending

Although each piece of D:SbD may have smallscale demonstrations to allow the reader to produce a protected binary or protected environment, this is not enough to facilitate a persuasive example of effective deployment. It implies that there is such a possibility, but does not give a largescale example. As such, it does not give a convincing argument about the visible effects of deploying these systems.

Rather than giving a fullscale demonstration, which would involve effectively forking Debian temporarily, D:SbD will give a smallscale demonstration. There are a few possible forms that this demonstration may come in.

It is currently being pondered to do a secured LiveCD to demonstrate a secure environment. As a design decision, the LiveCD will be based on Gentoo Linux to take advantage of the Hardened Gentoo project's efforts and avoid a ton of work. The choice of base distribution should not affect the demonstration.

The original plan was that the demonstration would consist of an apt source containing a variety of packages protected with whichever protections do not break them, and will reproduce a secure environment for those packages as well as any implicitely affected. The projected packages should include the base; X; an X toolkit; a graphical desktop environment; a few common applications; a couple network clients; and a couple servers. A projected list is below.

The above should cover a wide range of applications with a variety of packages for each type. These were chosen because they are fairly popular among users, and so will make a familiar test ground.

Phase 4

Deployment

Status: Pending

The final goal of D:SbD is for the Debian maintainers to embrace the changes proposed by D:SbD and work to enhance Debian so that implementing and maintaining these changes in their build process is a quick and painless process on their end, as well as a completely transparent solution on the user's end. This will be carried out by a combination of Debian developers and external projects.

Debian is a registered trademark of Software in the Public Interest, Inc. Linux is a Registered Trademark of Linus Torvalds. All trademarks are property of their respective owners. For any questions, comments, or complaints, e-mail nigelenki@comcast.net.