Re: Top 5 things that aren't in Debian but should be :-)

To: Russell Coker <russell@coker.com.au>
Cc: Martin Pitt <martin@piware.de>, debian-devel@lists.debian.org
Subject: Re: Top 5 things that aren't in Debian but should be :-)
From: Dan Shearer <dan@shearer.org>
Date: Mon, 19 Jan 2004 13:12:23 +1030
Message-id: <[🔎] 20040119024223.GC15281@erizo.shearer.org>
In-reply-to: <[🔎] 200401151639.34056.russell@coker.com.au>
References: <[🔎] 20040111195339.GI15281@erizo.shearer.org> <[🔎] 20040112091251.GB19863@web08.manitu.net> <[🔎] 200401151639.34056.russell@coker.com.au>

Russell,

That's helpful. This is exactly the sort of thing I am looking for...
minimal things that can be applied which tend towards "secure by
default" without breaking everything in sight. 

On Thu, Jan 15, 2004 at 04:39:34PM +1100, Russell Coker wrote:
> On Mon, 12 Jan 2004 20:12, Martin Pitt <martin@piware.de> wrote:
> > It would be nice to provide better proactive system security out of
> > the box: e.g. mandatory access control and ACLs
> > (grsecurity|SELinux|lids), PaX, all packages compiled with buffer
> > overflow protection and a gcc supporting this (like Steve Kemp's gcc).
> 
> SE Linux is in 2.6.0 and 2.6.1.  Herbert has stated that he will build SE 
> Linux into 2.6.1 if he has time.

Good. Doesn't cost anything if you don't use it, or at least, if the
costs are noticeable for you you'll be building your own kernel anyway.

> For PaX to be considered we need someone to maintain a kernel-patch-pax 
> package that contains a patch which applies to a Debian kernel source.  
> No-one has been willing to do this so far.
> 
> Steve Kemp's gcc has been working well for me.  I've built kernels and 
> applications with it and not found any problems.  I expect that it will 
> become a standard feature in Debian's gcc soon.

What makes you so confident about this?  I agree that Steve's GCC
(packaging some work from IBM research, see http://www.steve.org.uk)
seems to work but there's a long jump between that and saying it is
ready to unleash on everyone. I've not heard any reports from embedded
users for example and I've never asked gdb developers what they think of
it either -- just to pick two examples of possible problems that occur
to me on the spot. Maybe someone has done lots of homework on this, the
IBM people perhaps.

-- 
Dan Shearer
dan@shearer.org

Reply to:

Follow-Ups:
- Re: Top 5 things that aren't in Debian but should be :-)
  - From: Steve Kemp <skx@debian.org>
- Re: Top 5 things that aren't in Debian but should be :-)
  - From: Russell Coker <russell@coker.com.au>

References:
- Top 5 things that aren't in Debian but should be :-)
  - From: Dan Shearer <dan@shearer.org>
- Re: Top 5 things that aren't in Debian but should be :-)
  - From: Martin Pitt <martin@piware.de>
- Re: Top 5 things that aren't in Debian but should be :-)
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: Removal of libtool1.4
Next by Date: Re: Top 5 things that aren't in Debian but should be :-)
Previous by thread: Re: Top 5 things that aren't in Debian but should be :-)
Next by thread: Re: Top 5 things that aren't in Debian but should be :-)
Index(es):
- Date
- Thread