Re: glibc and PaX issue
On 9/6/05, Grzegorz Bizon <verdan@pirx.int.pl> wrote:
> Anyway, I just wonder what is wrong about grsecurity
For starters, the upstream developer claims [1, 2] to engage in the
morally reprehensible practice of selling 0-day exploits he finds in
competing products to blackhats. This also casts doubt on the
trustworthiness of his *own* code, since any undiscovered (read: not
publicly disclosed) vulnerabilities/holes/etc in Grsecurity are a
potential revenue stream for him. Not that my opinion carries much
weight, but I personally feel that this massive conflict of interest
means that Grsecurity should never be supported by Debian in any way
whatsoever.
[1] http://lwn.net/Articles/111437/ - "Does RedHat buy exploits for
their own code? If so, how much would RedHat pay for information on an
information leaking vulnerability in SELinux for a physical, local
user? I've sold all my Exec-Shield exploits (that still work!),
otherwise I'd offer those as well ;\"
[2] http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1315.html
--
Andrew Saunders
Reply to: