Re: Bug#605090: Proposing amd64-hardened architecture for Debian
- To: debian-kernel@lists.debian.org
- Subject: Re: Bug#605090: Proposing amd64-hardened architecture for Debian
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Tue, 22 Apr 2014 22:12:40 +0200
- Message-id: <[🔎] slrnlldj9o.2ie.jmm@inutil.org>
- References: <534D0341.5050807@balintreczey.hu> <534E6E4C.1040709@azet.org> <CAK0OdpyndQWFD_wU_rAqxLdgPQEbjeG0yEQKc2LRSXp-jBqAQw@mail.gmail.com> <534F02D4.6010608@azet.org> <5354904B.5050805@igalia.com> <1398195001.7767.107.camel__30997.2172756263$1398195209$gmane$org@deadeye.wl.decadent.org.uk>
Ben Hutchings <ben@decadent.org.uk> schrieb:
> There was a recent discussion on -private where I think there was some
> consensus that a grsecurity kernel package could be included in Debian
> as a separate source package.
Ack. Quoting myself from the thread on -private for public discussion:
| If grsec is introduced, then it needs to be separate source package to
| remain as close to upstream as possible (modulo DFSG firmware bits).
|
| If it is a different source package (and not building linux-libc-dev)
| I don't see much of a problem if the grsec kernel is two or three
| revisions behind src:linux.
|
| As far as security triage for grsec is concerned it will be sufficient to
| follow the grsec releases in stable. Ubuntu 14.04 LTS will be based on
| 3.13, so all important bugfixes will land in 3.13.x longterm (plus
| several vulnerabilities will be moot in grsec)
As for the proposal on amd64-hardened:
I would prefer if we focus on the hardening features available for
all (making everyone profit from enhanced security). Some of the
plans mentioned in https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
could use someone driving the effort to speed things up:
- GCC 4.9 has been released today, organise an archive rebuild with
gcc-defaults pointing to 4.9 and dpkg-buildflags emitting
-fstack-protector-strong
- Work on hidepid=1 by default, post debs for people to test-drive and
fixup regressions in userland
Cheers,
Moritz
Reply to: