On Fri, 2012-02-03 at 00:34 +0000, Ben Hutchings wrote: > There is an easy way to benefit from it. Well still the user wouldn't know how to configure it... Actually I must admit that I haven't followed PaX/grsec now for some time (mainly due to the deb package being always out of date in sid). Wasn't it once the case with PaX that packages have to be compiled specially? Or some ELF headers added or so? And there were no execute features which are perhaps superseded to some extent (now that AMD64 has NX bit)... So what I mean in the end,... I'm surely not an expert with respect to the kernel, but at least I used to have my own .config since years,.. still it would mean quite some effort for me to get PaX/grsec running in a way that I for myself believe I've done it right. And this does not include tracing problems (I _very_ vaguely remember that one had to make exceptions e.g. for Java?) And that's why I think that such "special" frameworks like PaX/grsec, SElinux, Apparmor, Smack, etc. pp. make only sense if well supported by the distro, at least for some (blind guess:) 80-90% of all potential users. > You flatter us. General experience with kernel development does not > make someone an expert that is capable of understanding all the > implications of rebasing a patch or patch set that modifies many core > kernel features. Well come on Ben,.. you've already helped me so often with issues with the kernel,... you guys have at least some very good overview on everything! > > Well IMHO, at best, one should never need to rund anything from outside > > the Debian archives ;) > Wishing it so doesn't make it practically possible. Well.. so far I do :D Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature