Re: security enhanced debian branch?

[Steve Kemp <skx@debian.org>]

On Thu, Dec 18, 2003 at 09:41:28AM -0800, Matt Zimmerman wrote:

> For cases where the added functionality is provided by additional packages,
> this is easy.  However, some of the things which are being experimented with
> include compiler patches to produce binaries which make certain types of
> exploits more difficult, and that kind of thing is not easy to merge into
> Debian proper.

  I am working on the compiler patches and it is my intention to rebuild
 and distribute a lot of the core packages to ensure they continue to
 work correctly.

  I am not currently sure whether gcc-3.3 can be used to compile woody
 kernels, but apart from that the packages for which I forsee problems
 as being most likely include:

 	X
	perl
	libc

  If I can get those built and tested then I'd be confident to
 recommend the SSP patches be enabled globaly in unstable - at that
 point my work will be done.

  Even compiling most of the stable distribution will not prove that
 things are "safe", I guess we only know if we enable it and see what
 happens on non-x86 platforms, something I'm not really able to test
 directly.

  .. and I may find the time to work with some of the interesting kernel
 packages, or go back to doing source auditing.

Steve
--