(...) > response 3: _is_ it the job of debian developers to dictate the minimum > acceptable security level? yes, it is. But we have to weight in the needs of our users. We want, after all, our operating system to be used in a large set of environments and some of those might break when enabling SELinux (but we won't know until it's enabled so it's kind of a loophole) > basically what i mean is, in gentoo, it's a no-brainer: you set options > at the beginning of your build, come back [2 weeks? :) ] later and you > have a system with PAX stack smashing, lovely kernel, everything > hunky-dory. In Debian is also a no-brainer, or, really, a similar no-brainer to Gentoo: 1.- Download your favorite kernel-source package 2.- Download the ExecShield/Adamatix(PaX+RSBAC)/SELinux kernel-packages (or upstream patches) 3.- Build with make-kpkg and pointing it to the patches so that they get applied. 4.- Install the kernel and reboot With sbuild/buildd etc you can actually recompile the whole distribution with whatever options you want to (including a patched gcc) either in your system or in a chroot. > debian doesn't GIVE users that choice [remember the adamantix > bun-fight, anyone?] and instead settles for about the lowest possible > common denominator - no consideration to modern security AT ALL! Debian does provide choices, the Adamantix stuff is packaged in Debian (it has seen few users, though). Debian does not yet provide packages compiled with SSP (which would be the other difference with Adamantix currently) but some people are working on in to find the best approach to that issue. Maybe those choices are not sufficiently documented (or used) to be mainstream, but choices are there and they are as no-brainer as having a user compile the full Gentoo distribution. Regards Javier
Attachment:
signature.asc
Description: Digital signature