[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#605090: Linux 3.2 in wheezy

> On do, 2012-02-02 at 12:18 +1100, Russell Coker wrote: 
> > On Thu, 2 Feb 2012, dann frazier <dannf@dannf.org> wrote:
> > > Whilte it may help the kernel team to not have to worry about problems
> > > in the grsec flavor when preparing uploads, preventing delays for the
> > > non-grsec images. But, that just pushes the coordination down a ways -
> > > for stable updates we would need to add the grsec build into the
> > > pipeline, and there'd be delays in grsec security updates that go in
> > > via linux-2.6. Not nak'ing the idea, but it does extend some critical
> > > paths.
> > 
> > The current approach of having a kernel patch package seems to work well.  It 
> > removes the need for involvement of the kernel and security teams (presumably 
> > security changes to the kernel will usually not require changes to the 
> > grsecurity patch) and allows the users to easily build their own kernels.
> > 
> > If a user has a choice between using Spender's Debian package and a kernel-
> > patch package to build their own kernel then I think that they should be able 
> > to do whatever they want.
> > 
> > Spender suggested that people who want GRSecurity on Debian would be better 
> > off using a .deb he provides and working on user-space hardening.
> > 

(please don't top-post)
If people on the CC: list want to be dropped, please ask :)

On jeu., 2012-02-02 at 07:18 +0100, Kees de Jong wrote:
> Perhaps you should contact Julien Tinnes of http://kernelsec.cr0.org/ 
> He has been too busy to work on the kernels lately but maybe he wants
to help.

Well Julien was aware of my initiative and, afaict, he didn't really
have time for that, nor was interested in the porting part.

And as I said before, I'm not interested in shipping just a patch in
Debian. If users want to patch the kernel, configure it and built it, I
think they're better off getting the latest patch from grsecurity.net
and kernel from kernel.org. The point was in shipping a binary package
with a default setup secure enough, and a way to tune the features
through sysctl.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: