Antoine Beaupré wrote: > There are, however, people *not* running Debian-built kernels, and > sometimes for good reasons. This is a configuration that we should > still support.
Is it supported, but it's also clearly documented that people need to enable this sysctl for custom kernels: https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security > Incidentally, I wonder if we should remove the patch we have on the > Debian kernels to change the defaults, and instead rely on the > sysctl. I have added the kernel team in CC to have their input. Why revert the kernel? That doesn't buy us anything. It would be better to ask upstream to revisit this decision (e.g. by contacting KSPP mailing list). I suppose that SuSE, Ubuntu and Red Hat have are shipping similar patches/defaults, so it's probably safe to say that those protections are now the status quo (as opposed to five years ago when that feature was freshly introduced). Cheers, Moritz
