[Tfug] Multiple distros for security?

David Cowell davidwcowell at cox.net
Sat Jan 24 19:33:13 MST 2009 

The decision here is a common problem in almost any field:

Is the cost/benefit of diversity (in a given instance) better than the
cost/benefit of consistency?

One of the best methods of analyzing this is first to remember that
increasing diversity usually increases variation from a norm. (Variation
being both on the "better than needed" side and on the "not good enough"
side.)

Now, variation may be quite acceptable if the consequences of that
variation are not catastrophic. (Buying generic food except when brand
name stuff is on sale is not going to ruin your health.)

In the situation of running parallel distros, however, even if one fails
there is a breach. And, as Paul Lemmons wrote, "1/3 compromised is still
compromised." We will assume this is a situation you wish to avoid.

We can simplistically reduce your problem to: "Are the dangers of using
several distros in tandem less than (and less severe than) the dangers
of using only one?"

The answer is a resounding "No!" There is greater variation.
(Admittedly, variation on the positive side goes up, too... but you
don't really care about that, do you?)

A parallel question is, "Do I run a higher risk of STD infection if I am
faithfully monogamous or if I have several partners?" Whilst indeed
there is the possibility that one's spouse is infected, the possibility
that the group of several partners has one infection amongst them is
likely much greater, even if they are no more active.

Of course, a failure in a monogamous system is a highly emotional
situation, whereas a failure in a licentious system is accepted as part
of the risk... which obscures the inherent lower risk of the monogamous
system.

That is probably why people got so worked up about the Debian problem:
how _could_ this happen with Debian?! (Well, it could happen with Suse
or Red Hat or...)

Acceptance of the possibility of a distro failure is mandatory for any
realistic assessment of things. Debian will fail, Suse will fail,
Slackware will fail.

Accept it - don't go out with three or four OS-chans. One will be far more faithful than three. Choose one that you can be happy with and be content with her weaknesses.

And thus you will learn to wrestle with lions.

More information about the tfug mailing list