Debian Conference 2015 The annual Debian developer meeting

Speaker: Robert Edmonds
The Domain Name System (DNS) protocol is widely used by Internet-connected hosts, including Debian systems. It is most commonly associated with the "hostname to address" lookup service needed by many Internet protocols, but it has an extensible design and is capable of distributing many types of information. The DNS has a highly componentized architecture and no individual package in Debian is responsible for implementing DNS support as a whole. This talk will introduce the DNS architecture and explain how individual packages in the Debian archive together implement this architecture. Other topics covered will include: - The DNS data model. - The broad history of the protocol, and likely future developments. - How the DNS is commonly deployed on the Internet. - How Debian's DNS support compares to other operating systems like Fedora and FreeBSD. - Privacy, security, and governance considerations.

Speakers: intrigeri, Andres Gomez
Tails is a Debian GNU/Linux based live system that aims to preserve user privacy and anonymity. This talk gives an overview on the technical details behind Tails, how privacy, anonymity and security are enforced on top of Debian. We will explain the challenges that Tails faces. This talk also presents the current Tails project roadmap and future goals, and the evolution of the relation with Debian, from a technical point of view.

Speaker: Nikos Mavrogiannopoulos
Currently each and every shipped application in distributions enforces its own policy on the allowed cryptographic algorithms/protocols. While for some this is a desirable property, for most unmanaged applications like wget, curl, and similar, it prevents enforcing a consistent security level. The purpose of this talk is to describe the approach we've taken in Fedora to counter the issue, and enforce a system-wide policies, discuss the current outcome, lessons learned, and invite Debian maintainers to participate.

Speaker: Niibe Yutaka
In this talk, I will discuss Monty Hall problem by its computer simulation and will show how Random Bit Generator is important, and more entropy is needed. In Debconf 14, I listend the talk by Tom Marble, which was titled "Security not by chance: the AltusMetrum hardware true random number generator". It was very impressive for me. (I had a TRNG implementation of mine, but I didn't recognize its importance.) Since then, I have been considering some promotion for more entropy, and l wrote the article (see the first URL). The story doesn't directly discuss TRNG itself, but it explains that bias should be killed and it discuss an effective side channel attack, and it emphasizes more entropy is required.

Speaker: Clint Adams
Since the hOpenPGP talk at DC14, a few things have changed. This will briefly summarize what's new with hOpenPGP and hopenpgp-tools.

Speaker: David Bremner
One of (at least my) primary motivations for working on Notmuch [1] is reducing my dependence on cloud services, and supporting the secure sending and receiving of signed and encrypted mail. Like any real world piece of software, notmuch is far from perfect, and several areas related to privacy and security could clearly be improved. During this BoF we'd like to plan out some topics to work on in followup hacking sessions. Anyone is welcome, even if they don't feel like hacking on notmuch. Potential topics of discussion and hacking include: - S/MIME signatures and encryption - Improving the security of the Emacs MML mime composer - Searching of GPG encrypted mail - Auditing and fixing "webbug" style problems in front ends - Making notmuch build reproducibly [1]: http://notmuchmail.org

Speaker: Peter Eckersley
Invited talk about Let's Encrypt

Speakers: Raphaël Hertzog, Holger Levsen
Work sessions between the members of the security team and of the LTS team to prepare for Wheezy LTS: - infrastructure changes so that security.debian.org repositories can be used by the LTS team - discussing what will be supported in Wheezy LTS - etc.

Speakers: Holger Levsen, Lunar
With free software, anyone can inspect the source code for malicious flaws. But Debian provide binary packages to its users. The idea of “deterministic” or “reproducible” builds is to empower anyone to verify that no flaws have been introduced during the build process by reproducing byte-for-byte identical binary packages from a given source. This talk will explain the current status of the Debian Reproducible Builds project, how this is relevant for the complete free software eco system and how you can contribute.

Speaker: Holger Levsen
A roundtable with relevant Debian parties to discuss and plan what needs to be done, so that reproducible builds can become a official supported feature for (at least some packages in) Debian Stretch. We would like to see ftpmaster team members, dpkg maintainers, release team members, tech-ctte members and you at this event!

Speaker: Asheesh Laroia
This talk introduces Sandstorm, a free software package manager for web applications with a focus on usability and security. The talk dives deep into how Sandstorm works and why. You'll see how Sandstorm is similar to and different from Debian, and you'll learn: * Why Sandstorm exists, and why I think it fits the web better than packaging the same apps in Debian directly * How people turn open source web apps into Sandstorm packages * How (and why) every Sandstorm app package is a Debian derivative * Why Debian should use this for Debian Developer-oriented infrastructure * Examples of web apps that Sandstorm is, and isn't, good for * How our community structure is different from Debian's -- with many lessons I've personally learned through my work on Debian * How Sandstorm adds security and access control to any web app You'll leave with a sense of the purpose of Sandstorm, an understanding of why we made it, and a desire to run it yourself.

Speaker: Christian Boltz
AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies, called profiles, completely define what system resources individual applications can access, and with what privileges. A number of default profiles are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor profiles for even very complex applications can be deployed successfully in a matter of hours. This talk gives an introduction to AppArmor. I'll show the AppArmor tools to create and update profiles and also explain the profile syntax so that you can understand and manually edit profiles. I'll also show some advanced usage - securing a typical webserver, setting up read-only root access to do backups and how to (ab)use AppArmor for debugging.

Speaker: Holger Levsen
Let's make some good example packages reproducible. (Or work on changes to dak or do some other reproducible hands on hacking.)