On Sun, 2012-01-29 at 21:26 +0000, Ben Hutchings wrote: > > So in the end what are the reasons for not trying the grsecurity > > featureset? #605090 lacks any reply from the kernel team since quite a > > while, and especially after answers were provided to question asked. Whew.... I'd also be waiting for this since... well since I knew about PaX ;)
I think, given the great security benefits it can give, it would be really worth to have it in debian. Especially as the linux-patch-grsecurity2 package uses to be heavily unmaintained. :( > You already know the main reason: > > Feature-wise, Brad Sprengler and the PaX team still add stuff, like the > > gcc plugins or hardening features like symbols hiding, fix bugs (for > > example in RBAC code), while few of them reach mainline. > > I realise that the mainline Linux developers have sometimes been > unreasonably resistant to these changes and I'm not intending to assign > blame for this. Yeah,... seeing it merged upstream would be the best, of course. > But practically this means that we have to either carry > the featureset indefinitely or disappoint users by removing it in a > later release. (See the complaints about removing OpenVZ in wheezy > despite 4 years' advance notice of this.) Well I guess you really don't have to bother on this :) Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature