Re: Adamantix

To: Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org>
Cc: Kim <kim@info.dk>, debian-security@lists.debian.org
Subject: Re: Adamantix
From: Steve Kemp <skx@debian.org>
Date: Thu, 17 Jun 2004 15:36:11 +0100
Message-id: <[🔎] 20040617143610.GA4510@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>
In-reply-to: <[🔎] 20040617140949.GA18516@dat.etsit.upm.es>
References: <[🔎] 000e01c4546d$3734eb80$99e4aad5@mainframe> <[🔎] 20040617140949.GA18516@dat.etsit.upm.es>

On Thu, Jun 17, 2004 at 04:09:49PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:

> 2.- Besides the kernel changes, Adamantix recompiles the distribution with
> a GCC patch that should limit buffer overflows, this one is called SPP
> (formerly known as ProPolice). Steven Kemp is currently testing its impact
> (see http://shellcode.org/Cat/). Gcc 3.3 does not yet include the patch per
> default since it has not been sufficiently tested on non-i386 archs AFAIK
> (see #233208 and #213994 for more information) There have been a number of
> discussions at -devel regarding this patch (browse the archives)

  I've recently (less than two days ago) updated my SSP enabled
 compiler for unstable, this is described in the link above, and
 can be downloaded with the following sources list:

#
#  SSP / ProPolice GCC and supporting packages.
#
#  Raw Index
#
deb     http://people.debian.org/~skx/apt/unstable ./
deb-src http://people.debian.org/~skx/apt/unstable ./

> 2.- the pre-compiled packages are not available currently in Debian, but 
> you can re-compile them yourself. Debian might provide, in the future, a 
> i386 'flavor' that is compiled with SPP. However, this will be a different 
> "architecture" (just like i386 is different from sparc) and that means 
> there is a need for mirror space and porters.

  I think there's little value in using another "arch" to seperate this 
 stuff if the intention is to increase the security of Debian machines.
 If there are drawbacks to using it for x86 these should be discovered
 and fixed, so that all intel users can benefit.

> So, even though all those features are currently easier to be found on 
> Adamantix (after all it's a very feature-specific distribution) they will 
> be available in Debian, fully supported and maybe even within the default 
> installation, sometime in the future. 

  There don't seem to be too many people interested in this kind of
 thing, although SELinux is gaining momentum at least.
 Unless there is more testing and discussion the situation isn't likely
 to change soon.

> How can you speed it up? Help get more testing/documentation done for the 
> Adamantix-specific things and help make this new 'i386-spp' flavor 
> available by testing both the SPP patches and packages compiled with SPP 
> enabled.

  I can help with the later, rebuilding packages is usually fairly 
 trivial, and minimal testing is straightforward it's the distributing
 that I cannot manage alone.  (I can't build the packages on Debian
 machines because I lack the ability to upload new GCCs into the
 build environment or that would solve my problems).

  If there is demand I can share small packages, apache, bind, ssh etc
 with people but nowhere near a full mirror of unstable.

> Notice that Adamantix's FAQ is not correct in some of the points they make 
> (see http://www.adamantix.org/faq.html). You can submit bugs to Debian's 
> BTS if they are related to any of the above.

  Yes.

> >    Futher information is provided at [1]http://www.trusteddebian.org/
> 
> That link is not correct, and might be deprecated in the future, use 
> www.adamantix.org

  It's already depreciated due to the trademark issues, this is why
 the name was changed to Adamantix.

Steve
--

Reply to:

References:
- Adamantix
  - From: "Kim" <kim@info.dk>
- Re: Adamantix
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: Adamantix
Next by Date: Momentan nicht erreichbar
Previous by thread: Re: Adamantix
Next by thread: Momentan nicht erreichbar
Index(es):
- Date
- Thread