Re: Debian Hardened project status.
On Mon, 27 Sep 2004 00:39, Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
wrote:
> > Most of the features you list are things that are difficult to get into
> > Debian/main.
>
> Not too really difficult, it depends on how it gets developed:
> http://www.debian-hardened.org/wiki/index.php/CVS_Development_Organization
>
> SSP and PIE don't affect the binaries performance (not seriously), and
> arbitrary patches get tested before using them. It goes under the lead210
> pool before it goes to system-dh.
These things are obviously difficult due to the amount of time that has been
spent on them without anything getting into main.
The last discussion of SSP resulted in the GCC package maintainers indicating
that they wanted to wait for Mudflap, other discussion indicates that Mudflap
won't do what we really want in regard to such things (more of a debugging
tool than a method of securing production code). So I guess SSP is on hold
until after Mudflap.
> > > About the kernels...the work is in production state, i've currently
> > > tested them on some machines , 2 of them are shared environments
> > > (software-libre.org & ourproject.org) with user chroots, etc.
> > > I've also did the DHKP, but i'm going to remix it and use instead of
> > > the current patches (OW and others) the PaX + RSBAC + SELinux mix.
> >
> > You have RSBAC and SE Linux in the same kernel? What's the point?
>
> I haven't done that work, we are just starting to decided what's the
> painless solution.
Best thing to do is to have separate kernels for GRSEC, RSBAC, and SE Linux.
I am happy to test out all the SE Linux kernels you produce and review all
code and configuration that you use. Let me know when you are ready for me
to do this.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: