Re: exec-shield (maybe ITP kernel-patch-exec-shield)

To: Zenaan Harkness <zen@iptaustralia.net>
Cc: debian-devel@lists.debian.org
Subject: Re: exec-shield (maybe ITP kernel-patch-exec-shield)
From: Russell Coker <russell@coker.com.au>
Date: Fri, 28 Nov 2003 12:59:16 +1100
Message-id: <[🔎] 200311281259.16099.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 1069980201.3533.62.camel@zen8100a>
References: <[🔎] 20031121164140.GA23900@adamantix.org> <[🔎] 20031127135954.GA2371@adamantix.org> <[🔎] 1069980201.3533.62.camel@zen8100a>

On Fri, 28 Nov 2003 11:43, Zenaan Harkness <zen@iptaustralia.net> wrote:
> As I understand it, having a separate patch package is simply a
> procedural issue within Debian - unless you can convince the current
> kernel packager to include your desired (or our desired, when
> debian-enterprise decides PAX is a required goal) patch into the kernel
> immediately. The point is, when a patch (Debian packaged) is firstly
> made available, a bunch of people can go test it, report bugs if there
> are any, submit patches (eg. for other packages that might need changes
> to work with it), and if it is eventually "popular enough", it might
> even get into the kernel proper.

For an "Enterprise" distribution of Linux the first priority will be 
delivering reliable operation and decent performance under heavy load.  The 
Red Hat kernels are good for this, they have many features such as Ext3 
directory hashing back-ported from 2.6 to 2.4 kernels.  They also have some 
bug fixes for serious performance bugs (such as IO performance sucking under 
heavy load on 2.4.x kernels with >=4G of RAM).

Exec-shield is also going into the Red Hat kernels.  So if Debian adopts a Red 
Hat kernel for it's enterprise release then exec-shield will come as part of 
it.

Producing a kernel source tree based on the Red Hat kernel tree but with PaX 
instead of exec-shield may take some work, and this may take more time and 
skill than is available.

We can expect that taking the Red Hat kernel source is an option for on-going 
support of an enterprise kernel.  Is someone prepared to commit to on-going 
work in producing Red Hat kernel source trees with PaX?

> Some of our users (eg. one of my boxes - the one dedicated to my band)
> have real-time scheduling and latency as highest priority. It is not
> even connected to the net, and thus security is a non-issue. And it
> would require more effort *for me and the band as Debian-multimedia
> users* to have to back out security patches that lowered our real-time
> audio performance. Of course, now that the debian-multimedie sub project

I am not aware of any security patches hurting that performance.  Security 
patches will slightly decrease performance, but you are generally looking at 
less than 5% for most operations and less than 10% for the worse cases (such 
as Gig-E networking).  If such a small performance difference will break your 
system then you probably have problems already.

Also I am not aware of any security patches giving worse real-time 
performance.  They just increase the time taken to complete operations.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- Re: exec-shield (maybe ITP kernel-patch-exec-shield)
  - From: Peter Busser <peter@adamantix.org>
- Re: exec-shield (maybe ITP kernel-patch-exec-shield)
  - From: Peter Busser <peter@adamantix.org>
- Re: exec-shield (maybe ITP kernel-patch-exec-shield)
  - From: Zenaan Harkness <zen@iptaustralia.net>

Prev by Date: Re: /etc/aliases and policy -- possible mass bug filing
Next by Date: Re: /etc/aliases and policy -- possible mass bug filing
Previous by thread: Re: exec-shield (maybe ITP kernel-patch-exec-shield)
Next by thread: Re: exec-shield (maybe ITP kernel-patch-exec-shield)
Index(es):
- Date
- Thread