Hello.
I would like to point out certain things. First of all, maybe the most important, we have the
freedom problem here.
It´s CLEAR, after analyzing his own words, that our friend Russell Coker has a big interest of getting Exec-shield as part of Debian Linux. That becomes even more clear when you see the affirmation, again his own words, he's employed by Red Hat. I won't say here that Red Hat, Inc. would be
manipulating information
to force Debian users to use one of their products, because I would be going down, at the same level as Coker. Since I don't know Red Hat's relationship to this issue, I would go for how non-professional Russel Coker has been with his posts. In practice: "It seems that exec-shield does 99% of what PaX does (PaX is the most
desirable
feature in GRSec)" - I won't go on technical issues since there is the a article Brad
(grsecurity),
comparing OpenBSD's W^X, PaX and exec-shield, that can be found here: -> http://grsecurity.net/PaX-presentation_files/frame.htm But basicly I am so sure that exec-shield doesn't do half of PaX work. "Maybe we should solve the debate about grsec and standard kernels by adding exec-shield to the standard Debian kernel source? Then people who use a kernel.org kernel can apply the grsec patch (which will not apply to a Debian kernel source tree), and people who use the Debian kernel source will get exec-shield by default?" - Who are -you- (the ONLY individual) to define standards on linux
kernel
security designs? "The plan is to get Linus to accept it as a feature for 2.6, but to do this we need to get it tested more. It is being tested in Fedora, I think that we should do the same for Debian. Getting this patch deployed on large numbers of Debian machines is what is necessary to get it accepted by Linus." "I will make a kernel-patch package."
- Again, I don't understand why you should worry so much about some
project
you don't even own/manage. Or this is for Red Hat? Second of all, in a technical approach, you should compare all of W^X, Grsec/PaX, Exec-shield. My personal opinion (which doesn't really matter) is that of there is nothing like grsec/PaX, they are above all the others in so many ways. Will be easy you people to see, checking the references, reading the theories, studying the implementations. References should be pointed out:
- http://grsecurity.net/PaX-presentation_files/frame.htm
- http://lists.insecure.org/lists/bugtraq/2003/Aug/0137.html - http://people.redhat.com/mingo/exec-shield/ - http://marc.theaimsgroup.com/?l=openbsd-misc&m=105056000801065&w=2 This is a lot of information, but google for much more! Users need to build
their
ideas, and choose what to pick! Don´t let somebody right the rules and sign out without being aware of what's up. |