On Wed, Feb 01, 2012 at 06:41:43PM +0100, Yves-Alexis Perez wrote:
> On mer., 2012-02-01 at 14:32 +0000, Ben Hutchings wrote:
> > On Wed, 2012-02-01 at 10:51 +0100, Yves-Alexis Perez wrote:
> > > On mer., 2012-02-01 at 10:34 +0100, Wouter Verhelst wrote:
> > > > On Wed, Feb 01, 2012 at 10:24:40AM +0100, Yves-Alexis Perez wrote:
> > > > > On mar., 2012-01-31 at 11:01 -0500, micah anderson wrote:
> > > > > > What is stopping you from creating another package, that provides
> > > > > > the
> > > > > > kernel with grsecurity patches applied? Don't bother the kernel team
> > > > > > with it, and just maintain it yourself in the archive? Its free
> > > > > > software
> > > > > > afterall.
> > > > > >
> > > > >
> > > > > Honestly, having multiple linux source package in the archive doesn't
> > > > > really sound like a good idea. I don't really think the kernel team
> > > > > would appreciate, I'm pretty sure ftpmasters would disagree, and as a
> > > > > member of the security team, It's definitely something I would object.
> > > >
> > > > Well, that's what we have the 'linux-source' packages for: to allow
> > > > other packages to build-depend on them.
> > > >
> > >
> > > Hmhm, that might be a good idea indeed. I need to investigate and try
> > > that a bit.
> > >
> > > Ben, what would kernel team think of that?
> >
> > I don't speak for the whole team, but I don't see that it solves any
> > problem. You would have to Build-Depend on exact versions of
> > linux-source, so that you know your external patches will apply. Then
> > you would have to rebase the patches every time linux-2.6 is updated,
> > making sure (without much help from upstream) that you don't introduce a
> > subtle security problem.
> >
> Well, that's already what I do and intended to do (and that's clear from
> the beginning of the bug report).
>
> Wrt not introducing subtle security problems, what I mostly do is remove
> the security backports from the grsec patch which are already applied to
> Debian kernel, so this part is fairly straightforward.
>
> Now indeed when doing the job for Squeeze kernel it's a bit less
> straightforward because of the huge amount of driver backports, but from
> my own experience, the conflicts are still mostly about changed context
> lines.
But your upstream disagrees on that point.
Ben.
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120201183043.gv12...@decadent.org.uk
