Re: glibc and PaX issue

To: debian-devel@lists.debian.org
Subject: Re: glibc and PaX issue
From: Andrew Saunders <syntaxis@gmail.com>
Date: Tue, 6 Sep 2005 20:07:09 +0100
Message-id: <[🔎] 38303dfe0509061207f727c49@mail.gmail.com>
In-reply-to: <[🔎] 20050906201025.47953dc5@pirx.vlan>
References: <[🔎] 20050904205731.1518a76c@pirx.vlan> <[🔎] 1125861707.2952.7.camel@gcs.lsc.hu> <[🔎] 20050906201025.47953dc5@pirx.vlan>

On 9/6/05, Grzegorz Bizon <verdan@pirx.int.pl> wrote:

> Anyway, I just wonder what is wrong about grsecurity

For starters, the upstream developer claims [1, 2] to engage in the
morally reprehensible practice of selling 0-day exploits he finds in
competing products to blackhats. This also casts doubt on the
trustworthiness of his *own* code, since any undiscovered (read: not
publicly disclosed) vulnerabilities/holes/etc in Grsecurity are a
potential revenue stream for him. Not that my opinion carries much
weight, but I personally feel that this massive conflict of interest
means that Grsecurity should never be supported by Debian in any way
whatsoever.

[1] http://lwn.net/Articles/111437/ - "Does RedHat buy exploits for
their own code? If so, how much would RedHat pay for information on an
information leaking vulnerability in SELinux for a physical, local
user? I've sold all my Exec-Shield exploits (that still work!),
otherwise I'd offer those as well ;\"
[2] http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1315.html

-- 
Andrew Saunders

Reply to:

References:
- glibc and PaX issue
  - From: Grzegorz Bizon <verdan@pirx.int.pl>
- Re: glibc and PaX issue
  - From: Laszlo Boszormenyi <gcs@lsc.hu>
- Re: glibc and PaX issue
  - From: Grzegorz Bizon <verdan@pirx.int.pl>

Prev by Date: Re: dpkg -L dpkg-query -L do not find all the files from a package
Next by Date: Re: Public service announcement about Policy 10.4
Previous by thread: Re: glibc and PaX issue
Next by thread: Re: glibc and PaX issue
Index(es):
- Date
- Thread