Hi teams, [first of all, I'm writing this with my linux-grsec hat, not my Debian security team member hat, obviously] As you may know, src:linux-grsec was accepted in unstable earlier this year. As a quick summary, this is a source linux package (forked from and periodically rebased against src:linux) which generates a linux kernel with the grsecurity hardening patch (the patch is mostly about fighting memory corruptions bugs, but not only, I won't enter into details here to keep it short, but more information can be found in the ITP bug #605090). When the package was accepted to unstable, I filed #810506 with severity serious in order to prevent it to migrate to testing, because I wasn't really sure it'd be fit for stable. There are two main aspects for this: - it's a new Linux kernel source package, next to the existing src:linux, so that means code duplication - due to the grsecurity release model, it's likely that it won't be possible to stick with a major kernel version (4.3 right now, 4.4 upcoming), we would have to upgrade to the latest major release (using stable uploads) Even with this caveat, it seems that there is still interest from people (including me) to have src:linux-grsec included in a stable release. I asked the backport team about this [1], and they were not thrilled about this because backports are for packages to be included in the next Debian release (although the discussion isn't really over at that point). So I'm asking the security team and release team their opinion about this, in order to have a somehow formal answer which can get archived here. Do you think it'd be possible to have src:linux-grsec included in Stretch, with the two main points above? The answer doesn't need to be right now, in case you'd prefer seeing how things evolve in unstable for some time. Thank in advance, [1] https://lists.debian.org/debian-backports/2016/01/msg00027.html -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part