On Mon, 30 Jan 2012 22:26:50 +0100, Yves-Alexis Perez <cor...@debian.org> wrote: > On lun., 2012-01-30 at 14:08 +0000, Ben Hutchings wrote: > > On Mon, 2012-01-30 at 11:05 +0100, Yves-Alexis Perez wrote: > > > (adding few CC:s to keep track on the bug) > > > > > > On dim., 2012-01-29 at 21:26 +0000, Ben Hutchings wrote: > > > > On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote: > > > > > On dim., 2012-01-29 at 18:22 +0000, Ben Hutchings wrote: [...] > > > Now, I still think having a hardened Debian kernel inside the > > > distribution is helpful > > [...] > > > > I agree and I would like to see hardening of *all* our configurations, > > where the performance cost is not too much. That's going to protect all > > our users rather than just people who seek out a special paranoid > > configuration.
Would you agree that there are some small hardening things that can be done that don't impact performance that much? In particular the privilege boundries mentioned earlier does not seem to introduce any particular performance cost worth worrying about. > So I think it's perfectly clear that nor Debian nor Grsecurity are > really interested in Debian shipping a Grsecurity kernel. Well, I don't think its fair to say "Debian" is not interested in shipping a Grsecurity kernel. I think its more accurate to say that the current configuration of the Debian kernel team doesn't find the time to deal with it... but I'm not sure that speaks for all of Debian. > I find that sad, because I do think there are users of both which would > benefit from that, and not only people who seek out a special paranoid > configuration. I agree. On some machines, I would gladly trade perfomance for a hardened kernel where that is more important and it is unfortunate that the attempt to appeal to all possible configurations at the same time results in a kernel that doesn't allow for specialized configurations that people want/need. > Anyway, I'll keep updating the current setup for interested people, but > without any interest from either party, that definitely looks like a > dead end. What is stopping you from creating another package, that provides the kernel with grsecurity patches applied? Don't bother the kernel team with it, and just maintain it yourself in the archive? Its free software afterall. micah
pgpy3qdaRwiBa.pgp
Description: PGP signature
