Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian testing or stable for development

User discussion about Debian Development, Debian Project News and Announcements. Not for support questions.
Post Reply
Message
Author
Gen3x
Posts: 25
Joined: 2022-05-03 22:57
Has thanked: 11 times
Been thanked: 1 time

Debian testing or stable for development

#1 Post by Gen3x »

Hello,

I planned to migrate to Debian, but I wonder if I need to stay on Debian stable or testing.

I'll use Golang, C++, Python, Bash and containers, therefore a lot of source code coming from fresh projects too.
I need to be take precautions because these new projects could be always harmful, volountarily or not.

Questions:
1. Debian stable or testing?

2. What's the best method to protect myself in this case? Some of the code will need to be launched as root, for example, Kubernetes and Docker... Normally I shouldn't, but you know how it is in development :mrgreen:

3. The reason why I'm very concerned about security is due to what's present on that machine: browser access to my email, github etc, ssh keys etc...
The only way could be to run everything on VMs through KVM, but the experience of coding may result very annoying... Or I can just use xrdp inside those VMs, in order to exclude all the problems with graphics and mouse. That machine will anyway have access to Github, but nothing else I guess.
I can't set the Host and Guest on separate VLANs, the network is always exposed.

4. I'm a bit concerned by VSCode, I want to use it, but I see that if I request the installation of extentions, it doesn't ask root permissions, it's just one click.
Plus, I wonder how this doesn't break the repository dependencies, does it use a different folder/repo for the extentions? It's the only possible explanation I know.

Thanks for any help.

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing or stable for development

#2 Post by canci »

How about VM or Debootstrap?

https://wiki.debian.org/Debootstrap
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

Gen3x
Posts: 25
Joined: 2022-05-03 22:57
Has thanked: 11 times
Been thanked: 1 time

Re: Debian testing or stable for development

#3 Post by Gen3x »

canci wrote: 2022-05-06 09:19 How about VM or Debootstrap?

https://wiki.debian.org/Debootstrap
I guess that a VM will be the minimum, but my repo keys will be still there.

In any case, what do you mean with "debootstrap"? How can I "isolate" potential threats properly? From a quick look, it seems a method for custom deployments.

I won't mention "threats mitigation" because it's not what we need to focus here, that's another topic.

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing or stable for development

#4 Post by canci »

>what do you mean with "debootstrap"?

Read the Wiki.

>How can I "isolate" potential threats properly?

That's a very vague question. What happens within the debootstrapped testing/unstable environment, stays within it. It can't get to the proper stable environment.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

Gen3x
Posts: 25
Joined: 2022-05-03 22:57
Has thanked: 11 times
Been thanked: 1 time

Re: Debian testing or stable for development

#5 Post by Gen3x »

canci wrote: 2022-05-06 22:21 >what do you mean with "debootstrap"?

Read the Wiki.

>How can I "isolate" potential threats properly?

That's a very vague question. What happens within the debootstrapped testing/unstable environment, stays within it. It can't get to the proper stable environment.
I definitely need to read the wiki :D , the procedure seems much longer that I though. I've done chroot from a live system in the past, but never from a deployed system.

In terms of security, what would be safer? VM or debootstrap?
I don't have resource issues in my machine, so I could use both without issues, up to countless instances.
For VMs, I'd use KVM.

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing or stable for development

#6 Post by canci »

It should be the same.

In your case, maybe VMs are less involved then when it comes to setup. Make a VM for development and use the main system for other stuff.

Debootstrap has the advantage of not feeling like you're starting an emulator. They are more like the predecessors to docker containers.
VMs are easier to set up.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

Gen3x
Posts: 25
Joined: 2022-05-03 22:57
Has thanked: 11 times
Been thanked: 1 time

Re: Debian testing or stable for development

#7 Post by Gen3x »

canci wrote: 2022-05-07 05:30 It should be the same.

In your case, maybe VMs are less involved then when it comes to setup. Make a VM for development and use the main system for other stuff.

Debootstrap has the advantage of not feeling like you're starting an emulator. They are more like the predecessors to docker containers.
VMs are easier to set up.
I think I'll go with VMs then, I have some urgency to start with development, it seems that debootstrap takes too much time to learn properly.

One question, I can't still resolve the issue of git credentials, keys etc...
I'd like a complete separation of those, but I think it's not possible.
For example, I'll need to have at least the clipboard sharing, or eventually I'll setup a shared folder.

Regarding git, I think it's not possible at all, I need to have the repo on that machine... Or eventually I could have the repo on the host (for simplicity), and the compiler/IDE on the guest. I could also set 2 VMs for this, but I think it's not necessary.
Happy to hear some alternative solution.

In terms of a possible malware, it makes sense that the VMs are running a different Kernel at least, possibly a different distro, but hey, I'm not gonna run Windows :D .
Network could be exposed anyway, but I'd use a PVLAN, it should be sufficient, I just need to avoid that one of these entities allows a malware to interact with other entities in my network or Host OS.

User avatar
canci
Global Moderator
Global Moderator
Posts: 2502
Joined: 2006-09-24 11:28
Has thanked: 136 times
Been thanked: 136 times

Re: Debian testing or stable for development

#8 Post by canci »

I'm not into programming, so I couldn't tell. But one thing that's the new hotness in the security of open source programming is the idea of reproducibility, i.e. a system of checks and balances that proves whether your code really comes from you.
Not sure if that would help you, but here's the documentation:
https://wiki.debian.org/ReproducibleBuilds

EDIT: Another thing... If you make a development environment in Linux, I think you should choose a distro that stays as close to new upstream versions as possible. I.e. Arch, Fedora, Debian Unstable.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Debian testing or stable for development

#9 Post by CwF »

Gen3x wrote: 2022-05-10 09:36 I just need to avoid that one of these entities allows a malware to interact with other entities in my network or Host OS.
1. Stable, or old-stable, or o-o-stable. The bare metal hypervisor part of the equation isn't very important.
2. VM's
3. Not xrdp, native Spice with guest installed spice-vdagent.
4. no issue, VM's

A question - is this on a laptop or a more adaptable desktop? Mainly, a single common NIC, or more?

Keep in mind c-n-p and d-n-d through spice does not require the guest nic. Guest and Host do not network by default even sharing the same physical nic. All Guest will share and network. More than one VM is very useful to accomplish your goals without involving the host itself. Nic and storage can be hot-plugged as to not be live full time, so on demand exposure or isolation.

Gen3x
Posts: 25
Joined: 2022-05-03 22:57
Has thanked: 11 times
Been thanked: 1 time

Re: Debian testing or stable for development

#10 Post by Gen3x »

CwF wrote: 2022-05-10 15:54
Gen3x wrote: 2022-05-10 09:36 I just need to avoid that one of these entities allows a malware to interact with other entities in my network or Host OS.
1. Stable, or old-stable, or o-o-stable. The bare metal hypervisor part of the equation isn't very important.
2. VM's
3. Not xrdp, native Spice with guest installed spice-vdagent.
4. no issue, VM's

A question - is this on a laptop or a more adaptable desktop? Mainly, a single common NIC, or more?

Keep in mind c-n-p and d-n-d through spice does not require the guest nic. Guest and Host do not network by default even sharing the same physical nic. All Guest will share and network. More than one VM is very useful to accomplish your goals without involving the host itself. Nic and storage can be hot-plugged as to not be live full time, so on demand exposure or isolation.
I don't know this spice-vdagent, but I'll check, I need to use KVM, I already see it's compatible but probably xrdp is just fine, I just care about the security.

My machine is a powerful desktop machine, not worried about performance, RAM limit or issues with NIC.
I can have multiple VMs with dedicated IP, though I think that I'll face a blocker with the PVLAN... I think I can't isolate the network of each VM on a single network card.

My plan at the moment is the following:
1. One VM for Github
2. One VM for the compiler etc (which will compile in remote), it will include also browser with access to cloud storage etc.

If I think better about it, it doesn't make much sense. The compiler will compile the binary always in local, and run it there. Unless I find a comfortable way to set VSCode to compile and execute in remote, but technically is not possible unless it's through a network socket.
Eventually, I'll need to xrdp inside the VM for Github and launch the binary, but what's the point of VSCode then...

The biggest threat is probably Kubernetes and Docker... Maybe I can run these 2 in remote, but not the rest of the programs...
Plus, one major project I'm following is entirely on Kubernetes and Docker, so the rest of the stack is entirely on it, I can't divide these 2 things...

It seems that only one VM would be just fine, also to avoid painful complexity which could also generate security implications.

Happy to hear any suggestion.

Post Reply