[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#605090: Linux 3.2 in wheezy



On Mon, 30 Jan 2012 22:26:50 +0100, Yves-Alexis Perez <corsac@debian.org> wrote:
> On lun., 2012-01-30 at 14:08 +0000, Ben Hutchings wrote:
> > On Mon, 2012-01-30 at 11:05 +0100, Yves-Alexis Perez wrote:
> > > (adding few CC:s to keep track on the bug)
> > > 
> > > On dim., 2012-01-29 at 21:26 +0000, Ben Hutchings wrote:
> > > > On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote:
> > > > > On dim., 2012-01-29 at 18:22 +0000, Ben Hutchings wrote:
[...]
> > > Now, I still think having a hardened Debian kernel inside the
> > > distribution is helpful
> > [...]
> > 
> > I agree and I would like to see hardening of *all* our configurations,
> > where the performance cost is not too much.  That's going to protect all
> > our users rather than just people who seek out a special paranoid
> > configuration.

Would you agree that there are some small hardening things that can be
done that don't impact performance that much? In particular the
privilege boundries mentioned earlier does not seem to introduce any
particular performance cost worth worrying about.

> So I think it's perfectly clear that nor Debian nor Grsecurity are
> really interested in Debian shipping a Grsecurity kernel.

Well, I don't think its fair to say "Debian" is not interested in
shipping a Grsecurity kernel. I think its more accurate to say that the
current configuration of the Debian kernel team doesn't find the time to
deal with it... but I'm not sure that speaks for all of Debian.

> I find that sad, because I do think there are users of both which would
> benefit from that, and not only people who seek out a special paranoid
> configuration.

I agree. On some machines, I would gladly trade perfomance for a
hardened kernel where that is more important and it is unfortunate that
the attempt to appeal to all possible configurations at the same time
results in a kernel that doesn't allow for specialized configurations
that people want/need.

> Anyway, I'll keep updating the current setup for interested people, but
> without any interest from either party, that definitely looks like a
> dead end.

What is stopping you from creating another package, that provides the
kernel with grsecurity patches applied? Don't bother the kernel team
with it, and just maintain it yourself in the archive? Its free software
afterall. 

micah

Attachment: pgpIMOD9CFhvR.pgp
Description: PGP signature


Reply to: