Re: Attempts at security

To: debian-devel@lists.debian.org
Cc: Henrique de Moraes Holschuh <hmh@debian.org>, Hendrik Sattler <debian@hendrik-sattler.de>
Subject: Re: Attempts at security
From: Russell Coker <russell@coker.com.au>
Date: Sun, 4 Feb 2007 12:39:43 +1100
Message-id: <[🔎] 200702041239.45045.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20070203142010.GA30663@khazad-dum.debian.net>
References: <17855.31624.123993.146237@davenant.relativity.greenend.org.uk> <[🔎] 200702032317.29117.russell@coker.com.au> <[🔎] 20070203142010.GA30663@khazad-dum.debian.net>

On Sunday 04 February 2007 01:20, Henrique de Moraes Holschuh <hmh@debian.org> 
wrote:
> On Sat, 03 Feb 2007, Russell Coker wrote:
> > One that springs to mind is CONFIG_HIGHMEM4G, it seems only useful if you
> > have
>
> You need to enable PAE (64GB support) to access the NX bit on ia32, which
> is even worse, and that's the reason why my 1GB laptop has a PAE kernel :(

My impression (after a quick google search) is that only applies when running 
a 32bit kernel on a 64bit CPU.  Best to just run an AMD64 kernel and have NX 
without any problems.

As an AMD64 kernel runs 32bit binaries, if you want a 32bit user-space why not 
run a 64bit kernel anyway?

> Heck, use of ECC memory can slow down a system by as much as 1% AFAIK, and
> still, use of ECC is pretty much a given everywhere people really cares
> about stability (e.g. you cannot even buy servers from non-joke vendors
> without chipkill memory...)

I wasn't aware of a 1% slowdown, however I have observed that the vendors that 
ship ECC systems tend to ship them some months after equivalent machines are 
available in non-ECC versions.  Being 3-6 months behind the cutting edge of 
technology is effectively more than a 1% loss.

> It *is* quite measurable when it is ON and enforcing policy, but since we

Measurable being as much as 5% depending on what you do (usually significantly 
less than 5%).

> > > It is not enabled by default. That is the other point: you get that
> > > selinux integration if you want or not.
>
> Yes, and exactly what is the problem with that?
>
> Have you *ever* looked at the ammount of libraries we link to in Debian? 
> SE Linux libs are small compared to most of them, and *far* more useful.

Maybe the people who complain about SE Linux overhead would be better off 
using Gentoo.  With Gentoo you can turn off every option that you don't need.  
This gets you the minimal installed size for everything and also means that 
you can discover exciting new bugs that other people haven't discovered.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

Reply to:

Follow-Ups:
- Re: Attempts at security
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: Attempts at security
  - From: Russell Coker <russell@coker.com.au>
- Re: Attempts at security
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: Attempts at security (was Re: Draft spec for new dpkg "triggers" feature)
Next by Date: Re: Welcome to Gay.com!
Previous by thread: Re: Attempts at security
Next by thread: Re: Attempts at security
Index(es):
- Date
- Thread