On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote: > On dim., 2012-01-29 at 18:22 +0000, Ben Hutchings wrote: > > Featuresets > > ----------- > > > > The only featureset provided will be 'rt' (realtime), currently built > > for amd64 only. If there is interest in realtime support for other > > architectures, we may be able to add that. However, we do need to > > consider the total time taken to build binary packages for each > > architecture. > > > > If there are particular container features that should be enabled or > > backported to provide a useful replacement for OpenVZ or VServer, > > please let us know. We cannot promise that these will all be enabled > > but we need to know what is missing. > > So in the end what are the reasons for not trying the grsecurity > featureset? #605090 lacks any reply from the kernel team since quite a > while, and especially after answers were provided to question asked. You already know the main reason: > Feature-wise, Brad Sprengler and the PaX team still add stuff, like the > gcc plugins or hardening features like symbols hiding, fix bugs (for > example in RBAC code), while few of them reach mainline. I realise that the mainline Linux developers have sometimes been unreasonably resistant to these changes and I'm not intending to assign blame for this. But practically this means that we have to either carry the featureset indefinitely or disappoint users by removing it in a later release. (See the complaints about removing OpenVZ in wheezy despite 4 years' advance notice of this.) It also appears that you never had any response to your question to upstream about minimising the patch set. > Not doing anything is indeed a way to just get rid of the question, but > I would have at least appreciated a definitive answer on the bug rather > than via the dda mail. I'm sorry about that; it completely slipped my mind as there have been no discussions about it for some months. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do.
Description: This is a digitally signed message part