Re: Bug#605090: Proposing amd64-hardened architecture for Debian

[Moritz Mühlenhoff <jmm@inutil.org>]

Ben Hutchings <ben@decadent.org.uk> schrieb:
> There was a recent discussion on -private where I think there was some
> consensus that a grsecurity kernel package could be included in Debian
> as a separate source package.

Ack. Quoting myself from the thread on -private for public discussion:

| If grsec is introduced, then it needs to be separate source package to
| remain as close to upstream as possible (modulo DFSG firmware bits).
| 
| If it is a different source package (and not building linux-libc-dev)
| I don't see much of a problem if the grsec kernel is two or three
| revisions behind src:linux. 
|
| As far as security triage for grsec is concerned it will be sufficient to
| follow the grsec releases in stable. Ubuntu 14.04 LTS will be based on
| 3.13, so all important bugfixes will land in 3.13.x longterm (plus
| several vulnerabilities will be moot in grsec)

As for the proposal on amd64-hardened:

I would prefer if we focus on the hardening features available for
all (making everyone profit from enhanced security). Some of the
plans mentioned in https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
could use someone driving the effort to speed things up:

- GCC 4.9 has been released today, organise an archive rebuild with
  gcc-defaults pointing to 4.9 and dpkg-buildflags emitting
  -fstack-protector-strong

- Work on hidepid=1 by default, post debs for people to test-drive and
  fixup regressions in userland

Cheers,
        Moritz