On Wed, Mar 02, 2016 at 10:09:47AM +0100, Yves-Alexis Perez wrote:
> Hi teams,
>
> [first of all, I'm writing this with my linux-grsec hat, not my Debian
> security team member hat, obviously]
>
> As you may know, src:linux-grsec was accepted in unstable earlier this year.
> As a quick summary, this is a source linux package (forked from and
> periodically rebased against src:linux) which generates a linux kernel with
> the grsecurity hardening patch (the patch is mostly about fighting memory
> corruptions bugs, but not only, I won't enter into details here to keep it
> short, but more information can be found in the ITP bug #605090).
>
> When the package was accepted to unstable, I filed #810506 with severity
> serious in order to prevent it to migrate to testing, because I wasn't really
> sure it'd be fit for stable.
>
> There are two main aspects for this:
>
> - it's a new Linux kernel source package, next to the existing src:linux, so
> that means code duplication
> - due to the grsecurity release model, it's likely that it won't be possible
> to stick with a major kernel version (4.3 right now, 4.4 upcoming), we would
> have to upgrade to the latest major release (using stable uploads)
Before considering that, did anyone approch grsecurity whether we can get
access to the grsecurity stable patches? We would most definitely have Debian
funds to become grsecurity sponsors to obtain access to stable patches.
Whether that's possible/desirable by grsecurity is the question, though:
Having the stable patches in Debian would make them available to the
general public (including those sleazy embedded companies which made them
change their distribution scheme).
(However a determined, GPL violating embedded company who wants access to
the stable patches would likely find a way anyway)
Cheers,
Moritz
