On Mon, 27 Sep 2004 00:39, Lorenzo Hernandez Garcia-Hierro <[EMAIL PROTECTED]> wrote: > > Most of the features you list are things that are difficult to get into > > Debian/main. > > Not too really difficult, it depends on how it gets developed: > http://www.debian-hardened.org/wiki/index.php/CVS_Development_Organization > > SSP and PIE don't affect the binaries performance (not seriously), and > arbitrary patches get tested before using them. It goes under the lead210 > pool before it goes to system-dh.
These things are obviously difficult due to the amount of time that has been spent on them without anything getting into main. The last discussion of SSP resulted in the GCC package maintainers indicating that they wanted to wait for Mudflap, other discussion indicates that Mudflap won't do what we really want in regard to such things (more of a debugging tool than a method of securing production code). So I guess SSP is on hold until after Mudflap. > > > About the kernels...the work is in production state, i've currently > > > tested them on some machines , 2 of them are shared environments > > > (software-libre.org & ourproject.org) with user chroots, etc. > > > I've also did the DHKP, but i'm going to remix it and use instead of > > > the current patches (OW and others) the PaX + RSBAC + SELinux mix. > > > > You have RSBAC and SE Linux in the same kernel? What's the point? > > I haven't done that work, we are just starting to decided what's the > painless solution. Best thing to do is to have separate kernels for GRSEC, RSBAC, and SE Linux. I am happy to test out all the SE Linux kernels you produce and review all code and configuration that you use. Let me know when you are ready for me to do this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
