Bug#605090: Updated patch

To: maximilian attems <max@stro.at>, 605090@bugs.debian.org, Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>
Cc: 605090@bugs.debian.org, kees@debian.org
Subject: Bug#605090: Updated patch
From: micah anderson <micah@riseup.net>
Date: Wed, 09 Feb 2011 13:38:25 -0500
Message-id: <[🔎] 87pqr1hx3y.fsf@algae.riseup.net>
Reply-to: micah anderson <micah@riseup.net>, 605090@bugs.debian.org
In-reply-to: <[🔎] 20110209175102.GA27735@stro.at>
References: <1294140329.2909.69.camel@oban> <1295371970.2130.4.camel@oban> <20110126232927.GM5982@stro.at> <1296164504.18435.89.camel@hidalgo> <[🔎] 20110209175102.GA27735@stro.at>

On Wed, 9 Feb 2011 18:51:02 +0100, maximilian attems <max@stro.at> wrote: 
> 
> > > first of all merging a patch that deviates from mainline for an
> > > eternety and shows zero interest of upstream merging is not a 
> > > good candidate. You get longterm plenty of cost versus allmost
> > > no benefit.
> > 
> > There's no interest in upstreaming from grsec/pax teams but some other
> > people are indeed interested in upstreaming those kind of features. In
> > the meantime, having a featureset is a nice way to move along.
> 
> That is a wrong look at the problem, once it's upstream everybody profits.
> So this looks more like a dead end road.

So instead of having things that are nice, we should wait until upstream
has them?

> Considering that SELinux is inside the kernel it be much better time
> investment to polish that. What makes you think that a Debian Hardened
> with proper SELinux wouldn't be really appreciated!?

It would be. So would a proper grsecurity kernel.

> > > Third beside "security" theatre what is gained by it?
> > 
> > I think the whole point of the “Grsecurity” patchset is “security”.
> 
> I like the way you put it under brackets and think that
> security is gained by just applying this patchset.

Can you show that grsecurity does not provide any additional security?

> > > Fourth why not invest the time for Wheezy and have finally the mainline
> > > and security backed SELinux ready. This seems like a much better time
> > > investment.
> > 
> > Trying to push some bits upstream is indeed a good time investment
> > (though it takes time and I really think moving forward now is a good
> > idea). But Grsecurity isn't a drop-in replacement for SELinux. Some
> > features like RBAC and auditing have some similarities, but all the
> > hardening and memory protection really have nothing to do with that.
> 
> Be more precise in what SELinux can't do for you?
> (Emulating NX for bad hardware doesn't count these days).

For some SELinux is the right choice, for others grsecurity. Its obvious
which you prefer, but not everyone is the same as you. Yves-Alexis is
interested in doing the work on something that you do not want to do the
work on, that seems like a good thing.

micah

Attachment: pgp6Nk1HFC98Q.pgp
Description: PGP signature

Reply to:

References:
- Bug#605090: Updated patch
  - From: maximilian attems <max@stro.at>

Prev by Date: Bug#605090: Updated patch
Next by Date: Processed: linux-2.6 497036, 578005, 501023, 513406, 497036, 523424, 581001, 589996, 388721, 498309, 402562, 421911, 475055, 529165
Previous by thread: Bug#605090: Updated patch
Next by thread: Bug#605090: Updated patch
Index(es):
- Date
- Thread