There are a variety of high-quality open source security-related tools available in penetration testing tools, forensics tools, hardening tools, fuzz tools, and network monitoring tools. These tools could be used freely; however, we might face some issues while using it. Therefore, it is essential to have the ability to maintain or develop these tools. In this slide, SZ Lin introduces Security Tools Packaging Team in Debian; this team aims to maintain collaboratively many security tools and merge back tools packaged by security-oriented Debian derivatives (e.g., Kali). Also, SZ shares the experience in discussing and collaborating with open source maintainers and developers in open source security-related tools.

1. Take a step forward from user to
maintainer/ developer in open
source security-related tools
Take a step forward from user to
maintainer/ developer in open
source security-related tools
SZ Lin (林上智)

2. /WHOAMI/WHOAMI
SZ LIN (林上智)
 Debian Developer
 Cybersecurity Fundamentals Specialist
 ISA/ IEC 62443
 Blog - https://szlin.me

3. Open Source Security ToolsOpen Source Security Tools
src: http://www.capstone-engine.org/src: https://nmap.org/
src: http://www.unhide-forensics.info/src: https://virustotal.github.io/yara/
src: http://www.aircrack-ng.org/
src: http://www.openvas.org
src: http://www.chkrootkit.org/http://w3af.org/

4. It’s a trend to use open source
software; however…

8. Evolution of Open Source ParticipantEvolution of Open Source Participant
User Contributor Maintainer Developer
Explicit Borderline Explicit BorderlineImplicit Borderline
Knows and uses software
Help with comments, feedback
Provide small features, bug fixes
Submit patches to maintainer
Provide big features, bug fixes
Submit patches with limited
commit rights
Formally: Has commit with
unlimited rights
Perform bulk of work; quality
assurance

9. License
Compliance
Sustainability
Quality
Assurance
Preparedness
Planning
Basic Concepts in Using OSSBasic Concepts in Using OSS

11. src: https://bits.debian.org/2019/07/upcoming-buster.html

12. Debian Developer LocationsDebian Developer Locations

13. src: https://en.wikipedia.org/wiki/List_of_Linux_distributions#/media/File:DebianFamilyTree1210.svg
Debian DerivativesDebian Derivatives

14. Debian DerivativesDebian Derivatives
• Ubuntu
• Popularizing Linux around the world
• Grml
• Live system for system administrators.
• Purism PureOS
• FSF-endorsed rolling release, focused on privacy, security and convenience.
• Tails
• Preserve privacy and anonymity
• Parrot
• Security, development and privacy in mind.
• Kali Linux
• Security auditing and penetration testing.

15. License
Compliance
Sustainability
Quality
Assurance
Preparedness
Planning
Basic Concepts in Using OSSBasic Concepts in Using OSS

16. The Debian Free Software GuidelinesThe Debian Free Software Guidelines
1
Free Redistribution
可自由修改並再散佈
2
Source Code
需具備原始碼, 並能夠被編譯
3
Derived Works
允許被修改並產生衍生產品
4
Integrity of The Author's Source Code
原創作者原始碼的完整性
5 No Discrimination Against Persons or Groups
不得對任何人或團體有差別待遇
6
7 Distribution of License
散布授權條款
8
License Must Not Be Specific to a Debian
授權條款不得專屬於 Debian
9
License Must Not Restrict Other Software
授權條款不得限制其他軟體
10 Example Licenses
許可證示例
No Discrimination Against Fields of Endeavor
在任何領域內的利用不得有差別待遇

17. “Commons Clause” License Condition v1.0
The Software is provided to you by the Licensor under the
License, as defined below, subject to the following condition.
Without limiting other conditions in the License, the grant of
rights under the License will not include, and the License does
not grant to you, right to Sell the Software.
For purposes of the foregoing, “Sell” means practicing any or
all of the rights granted to you under the License to provide to
third parties, for a fee or other consideration (including without
limitation fees for hosting or consulting/ support services related
to the Software), a product or service whose value derives,
entirely or substantially, from the functionality of the Software.
Any license notice or attribution required by the ense must also
include this Commons Cause License Condition notice.
src: https://commonsclause.com/

19. src: https://redislabs.com/blog/redis-labs-modules-license-changes/ src: https://redislabs.com/community/licenses/
*Note: This is not an open-source license.

20. License
Compliance
Sustainability
Quality
Assurance
Preparedness
Planning
Basic Concepts in Using OSSBasic Concepts in Using OSS

21. Debian Long Term SupportDebian Long Term Support

22. Debian Package Auto-BuildingDebian Package Auto-Building

23. Debian CI SystemDebian CI System

24. Debian Reproducible BuildsDebian Reproducible Builds
src: https://tests.reproducible-builds.org/debian/reproducible.html

25. Debian Packages TrackerDebian Packages Tracker

26. Confidential
Good system security
Everything is open
Usually, fixed packages are uploaded within
a few days
Stability
unstable → testing → stable
Scalability
Server, Desktop,
Laptop, Embedded devices
Long term support
5 more years by Debian-LTS project
(i386, amd64, armel and armhf)
Multiple architectures
alpha, amd64, armel, armhf, aarch64,
hppa, i386, ia64, mips, mipsel, powerpc,
s390, and spar
Why Debian ?Why Debian ?
Incredible amounts
of software
Debian comes with over 59000
different pieces
of software with free
26

27. License
Compliance
Sustainability
Quality
Assurance
Preparedness
Planning
Basic Concepts in Using OSSBasic Concepts in Using OSS

28. Debian Teams [8]Debian Teams [8]

29. Debian Security Tools Packaging Team [6]Debian Security Tools Packaging Team [6]
Task description:
• Maintain correctly all security related tools.
• Merge back tools packaged by security-oriented Debian derivatives.
src: https://salsa.debian.org/groups/pkg-security-team/-/group_members

30. Team-Maintained PackagesTeam-Maintained Packages
src: https://qa.debian.org/developer.php?email=team%2Bpkg-security%40tracker.debian.org

31. Version Control SystemVersion Control System
src: https://salsa.debian.org/pkg-security-team

32. Team IRC ChannelTeam IRC Channel
Public IRC channel: #debian-pkg-security on irc.debian.org (OFTC)

33. Team Mailing ListTeam Mailing List
src: https://lists.debian.org/debian-security-tools/

34. Let’s Get InvolvedLet’s Get Involved
src: https://wiki.debian.org/Teams/pkg-security

35. Case Study

40. ResourcesResources
• Debian 新維護人員手冊
• https://www.debian.org/doc/manuals/maint-guide/
• Debian 套件打包教學指南
• https://www.debian.org/doc/manuals/packaging-tutorial/packaging-
tutorial.zh_TW.pdf

42. ReferencesReferences
[1] https://resources.github.com/whitepapers/introduction-to-innersource/
[2]https://dirkriehle.com/wp-content/uploads/2018/05/Inner-Source-Ten-
Years.pdf
[3]https://www.oreilly.com/programming/free/files/getting-started-with-
innersource.pdf
[4]
http://events17.linuxfoundation.org/sites/events/files/slides/OpenSourceSum
mitJP_2017_V01.pdf
[5] https://www.debian.org
[6] https://wiki.debian.org/Derivatives
[7] https://wiki.debian.org/Teams/pkg-security
[8] https://wiki.debian.org/Teams

43. Debian Security Tools Packaging Team
Package Tracker
Debian Security Tools Packaging Team
Package Tracker