On Wed, Apr 23, 2014 at 12:45:10PM +0100, Ben Hutchings wrote: > On Tue, 2014-04-22 at 22:41 +0200, Yves-Alexis Perez wrote: > [...] > > NOTE: I don't want to dismiss Mempo attempts, especially the > > reproducible build part, and I also think it's valuable to provide our > > users a grsec kernel as part of the distribution, just that I prefered > > to go the featureset way. > > I do want to see the Mempo reproducible build work go upstream and/or > into src:linux, as appropriate. Unfortunately it's currently siloed > just like grsec itself. Well, I guess the non-grsec related stuff can go upstream/src:linux, but as I'm not involved in the project, I can't really say. > > > I had the impression that adding a new copy of the linux sources was not > > really something appreciated by the project, and re-using linux-source > > (binary) package means the patch porting needs to be done anyway. > > That was what I thought, too. Specifically, the security team is > generally opposed to such duplication. Well, speaking with my security team hat, I can't say I really like it, but that's not really like having multiple copies of a library either. Sharing an orig.tar.xz between multiple source packages would be nice here (although it wouldn't help in case we have different versions). In any case, that's something I'd accept, but I don't think I can have the final word on this :) > > But if I'm wrong or if things have changed since them, and there's > > indeed a consensus for the vanilla + grsecurity + make deb-pkg as an > > easy way to provide grsec kernels in the Debian archive, then I'm all > > for it. > > Well 'make deb-pkg' doesn't work with a source package so you can't use > it as a basis for official Debian packages. Yeah, sorry my words were a bit confusing. I really mean “using a vanilla linux.tar.xz, adding the grsecurity patch and the Debian .config and building a Debian package with that”. > > The options I see are: > - Provide a source package based on src:linux that includes only the > grsec featureset Which is more or less what I do with my current patchset (except that I keep the src:linux name, but that could be changed pretty easily I think). > on top of an appropriate base version I'm not sure I understand what you mean here. You mean staying at 3.2/3.13 for example? > - Provide a source package that builds only a 'source' binary package > (like linux-source-3.13) I'm not sure what's the point here? Is it about having a source package providing a binary package containing the unpatched vanilla linux sources, which a src:linux-grsec package could build-depend on, then I guess we can just have vanilla linux as orig.tar.xz instead of having to build-dep on a linux-source-vanilla-3.13. > > In any case, it needs long-term upstream support, which for jessie would > presumably mean using 3.13 as a base, whereas src:linux will be a later > version. I guess so. Regards, -- Yves-Alexis Perez
Attachment:
signature.asc
Description: Digital signature