> On do, 2012-02-02 at 12:18 +1100, Russell Coker wrote: > > On Thu, 2 Feb 2012, dann frazier <da...@dannf.org> wrote: > > > Whilte it may help the kernel team to not have to worry about problems > > > in the grsec flavor when preparing uploads, preventing delays for the > > > non-grsec images. But, that just pushes the coordination down a ways - > > > for stable updates we would need to add the grsec build into the > > > pipeline, and there'd be delays in grsec security updates that go in > > > via linux-2.6. Not nak'ing the idea, but it does extend some critical > > > paths. > > > > The current approach of having a kernel patch package seems to work well. > > It > > removes the need for involvement of the kernel and security teams > > (presumably > > security changes to the kernel will usually not require changes to the > > grsecurity patch) and allows the users to easily build their own kernels. > > > > If a user has a choice between using Spender's Debian package and a kernel- > > patch package to build their own kernel then I think that they should be > > able > > to do whatever they want. > > > > Spender suggested that people who want GRSecurity on Debian would be better > > off using a .deb he provides and working on user-space hardening. > >
(please don't top-post) If people on the CC: list want to be dropped, please ask :) On jeu., 2012-02-02 at 07:18 +0100, Kees de Jong wrote: > Perhaps you should contact Julien Tinnes of http://kernelsec.cr0.org/ > He has been too busy to work on the kernels lately but maybe he wants to help. > > Well Julien was aware of my initiative and, afaict, he didn't really have time for that, nor was interested in the porting part. And as I said before, I'm not interested in shipping just a patch in Debian. If users want to patch the kernel, configure it and built it, I think they're better off getting the latest patch from grsecurity.net and kernel from kernel.org. The point was in shipping a binary package with a default setup secure enough, and a way to tune the features through sysctl. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
