Hello,
I planned to migrate to Debian, but I wonder if I need to stay on Debian stable or testing.
I'll use Golang, C++, Python, Bash and containers, therefore a lot of source code coming from fresh projects too.
I need to be take precautions because these new projects could be always harmful, volountarily or not.
Questions:
1. Debian stable or testing?
2. What's the best method to protect myself in this case? Some of the code will need to be launched as root, for example, Kubernetes and Docker... Normally I shouldn't, but you know how it is in development
3. The reason why I'm very concerned about security is due to what's present on that machine: browser access to my email, github etc, ssh keys etc...
The only way could be to run everything on VMs through KVM, but the experience of coding may result very annoying... Or I can just use xrdp inside those VMs, in order to exclude all the problems with graphics and mouse. That machine will anyway have access to Github, but nothing else I guess.
I can't set the Host and Guest on separate VLANs, the network is always exposed.
4. I'm a bit concerned by VSCode, I want to use it, but I see that if I request the installation of extentions, it doesn't ask root permissions, it's just one click.
Plus, I wonder how this doesn't break the repository dependencies, does it use a different folder/repo for the extentions? It's the only possible explanation I know.
Thanks for any help.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Debian testing or stable for development
- canci
- Global Moderator
- Posts: 2502
- Joined: 2006-09-24 11:28
- Has thanked: 136 times
- Been thanked: 136 times
Re: Debian testing or stable for development
Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
Re: Debian testing or stable for development
I guess that a VM will be the minimum, but my repo keys will be still there.
In any case, what do you mean with "debootstrap"? How can I "isolate" potential threats properly? From a quick look, it seems a method for custom deployments.
I won't mention "threats mitigation" because it's not what we need to focus here, that's another topic.
- canci
- Global Moderator
- Posts: 2502
- Joined: 2006-09-24 11:28
- Has thanked: 136 times
- Been thanked: 136 times
Re: Debian testing or stable for development
>what do you mean with "debootstrap"?
Read the Wiki.
>How can I "isolate" potential threats properly?
That's a very vague question. What happens within the debootstrapped testing/unstable environment, stays within it. It can't get to the proper stable environment.
Read the Wiki.
>How can I "isolate" potential threats properly?
That's a very vague question. What happens within the debootstrapped testing/unstable environment, stays within it. It can't get to the proper stable environment.
Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
Re: Debian testing or stable for development
I definitely need to read the wiki , the procedure seems much longer that I though. I've done chroot from a live system in the past, but never from a deployed system.
In terms of security, what would be safer? VM or debootstrap?
I don't have resource issues in my machine, so I could use both without issues, up to countless instances.
For VMs, I'd use KVM.
- canci
- Global Moderator
- Posts: 2502
- Joined: 2006-09-24 11:28
- Has thanked: 136 times
- Been thanked: 136 times
Re: Debian testing or stable for development
It should be the same.
In your case, maybe VMs are less involved then when it comes to setup. Make a VM for development and use the main system for other stuff.
Debootstrap has the advantage of not feeling like you're starting an emulator. They are more like the predecessors to docker containers.
VMs are easier to set up.
In your case, maybe VMs are less involved then when it comes to setup. Make a VM for development and use the main system for other stuff.
Debootstrap has the advantage of not feeling like you're starting an emulator. They are more like the predecessors to docker containers.
VMs are easier to set up.
Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
Re: Debian testing or stable for development
I think I'll go with VMs then, I have some urgency to start with development, it seems that debootstrap takes too much time to learn properly.canci wrote: ↑2022-05-07 05:30 It should be the same.
In your case, maybe VMs are less involved then when it comes to setup. Make a VM for development and use the main system for other stuff.
Debootstrap has the advantage of not feeling like you're starting an emulator. They are more like the predecessors to docker containers.
VMs are easier to set up.
One question, I can't still resolve the issue of git credentials, keys etc...
I'd like a complete separation of those, but I think it's not possible.
For example, I'll need to have at least the clipboard sharing, or eventually I'll setup a shared folder.
Regarding git, I think it's not possible at all, I need to have the repo on that machine... Or eventually I could have the repo on the host (for simplicity), and the compiler/IDE on the guest. I could also set 2 VMs for this, but I think it's not necessary.
Happy to hear some alternative solution.
In terms of a possible malware, it makes sense that the VMs are running a different Kernel at least, possibly a different distro, but hey, I'm not gonna run Windows .
Network could be exposed anyway, but I'd use a PVLAN, it should be sufficient, I just need to avoid that one of these entities allows a malware to interact with other entities in my network or Host OS.
- canci
- Global Moderator
- Posts: 2502
- Joined: 2006-09-24 11:28
- Has thanked: 136 times
- Been thanked: 136 times
Re: Debian testing or stable for development
I'm not into programming, so I couldn't tell. But one thing that's the new hotness in the security of open source programming is the idea of reproducibility, i.e. a system of checks and balances that proves whether your code really comes from you.
Not sure if that would help you, but here's the documentation:
https://wiki.debian.org/ReproducibleBuilds
EDIT: Another thing... If you make a development environment in Linux, I think you should choose a distro that stays as close to new upstream versions as possible. I.e. Arch, Fedora, Debian Unstable.
Not sure if that would help you, but here's the documentation:
https://wiki.debian.org/ReproducibleBuilds
EDIT: Another thing... If you make a development environment in Linux, I think you should choose a distro that stays as close to new upstream versions as possible. I.e. Arch, Fedora, Debian Unstable.
Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
-
- Global Moderator
- Posts: 2638
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 192 times
Re: Debian testing or stable for development
1. Stable, or old-stable, or o-o-stable. The bare metal hypervisor part of the equation isn't very important.
2. VM's
3. Not xrdp, native Spice with guest installed spice-vdagent.
4. no issue, VM's
A question - is this on a laptop or a more adaptable desktop? Mainly, a single common NIC, or more?
Keep in mind c-n-p and d-n-d through spice does not require the guest nic. Guest and Host do not network by default even sharing the same physical nic. All Guest will share and network. More than one VM is very useful to accomplish your goals without involving the host itself. Nic and storage can be hot-plugged as to not be live full time, so on demand exposure or isolation.
Re: Debian testing or stable for development
I don't know this spice-vdagent, but I'll check, I need to use KVM, I already see it's compatible but probably xrdp is just fine, I just care about the security.CwF wrote: ↑2022-05-10 15:541. Stable, or old-stable, or o-o-stable. The bare metal hypervisor part of the equation isn't very important.
2. VM's
3. Not xrdp, native Spice with guest installed spice-vdagent.
4. no issue, VM's
A question - is this on a laptop or a more adaptable desktop? Mainly, a single common NIC, or more?
Keep in mind c-n-p and d-n-d through spice does not require the guest nic. Guest and Host do not network by default even sharing the same physical nic. All Guest will share and network. More than one VM is very useful to accomplish your goals without involving the host itself. Nic and storage can be hot-plugged as to not be live full time, so on demand exposure or isolation.
My machine is a powerful desktop machine, not worried about performance, RAM limit or issues with NIC.
I can have multiple VMs with dedicated IP, though I think that I'll face a blocker with the PVLAN... I think I can't isolate the network of each VM on a single network card.
My plan at the moment is the following:
1. One VM for Github
2. One VM for the compiler etc (which will compile in remote), it will include also browser with access to cloud storage etc.
If I think better about it, it doesn't make much sense. The compiler will compile the binary always in local, and run it there. Unless I find a comfortable way to set VSCode to compile and execute in remote, but technically is not possible unless it's through a network socket.
Eventually, I'll need to xrdp inside the VM for Github and launch the binary, but what's the point of VSCode then...
The biggest threat is probably Kubernetes and Docker... Maybe I can run these 2 in remote, but not the rest of the programs...
Plus, one major project I'm following is entirely on Kubernetes and Docker, so the rest of the stack is entirely on it, I can't divide these 2 things...
It seems that only one VM would be just fine, also to avoid painful complexity which could also generate security implications.
Happy to hear any suggestion.