On Tue, Apr 22, 2014 at 08:30:01PM +0100, Ben Hutchings wrote: > On Mon, 2014-04-21 at 05:28 +0200, Carlos Alberto Lopez Perez wrote: > > On 17/04/14 00:23, Aaron Zauner wrote: > > > Now shipping grsec is a really good idea. I'd like to see that as well. > > > > There has been an attempt to provide an official grsec-flavour of the > > Debian kernel, but it didn't worked: > > > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090 > > > > For those interested, Corsac provides packages: > > > > https://wiki.debian.org/grsecurity > > There was a recent discussion on -private where I think there was some > consensus that a grsecurity kernel package could be included in Debian > as a separate source package. I'm a bit unsure about that consensus. Right now there are two attempts to provide a grsecurity package for Debian: - mine, which is about adding a grsec featureset to the src:linux package (so basically adding grsec patch on top of the Debian patches, and re-using everything else). This attempt was already NACK-ed by the kernel team; - the Mempo/SameKernel attempt, which is about using a vanilla kernel and adding grsecurity on top of it (and, I guess, a .config which looks like the src:linux one) The latter is much easier in term of management since all the integration is done by spender (he's actually working on providing .deb builds of grsec packages), so I didn't really consider it worthy to investigate time on it since basically everyone can do it with a simple script. NOTE: I don't want to dismiss Mempo attempts, especially the reproducible build part, and I also think it's valuable to provide our users a grsec kernel as part of the distribution, just that I prefered to go the featureset way. I had the impression that adding a new copy of the linux sources was not really something appreciated by the project, and re-using linux-source (binary) package means the patch porting needs to be done anyway. But if I'm wrong or if things have changed since them, and there's indeed a consensus for the vanilla + grsecurity + make deb-pkg as an easy way to provide grsec kernels in the Debian archive, then I'm all for it. Regards, -- Yves-Alexis Perez
Attachment:
signature.asc
Description: Digital signature