Re: Debian Hardened project (question about use of the "Debian" trademark)
On Fri, Sep 17, 2004 at 10:55:33PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:
> Yes.The `apt-get install hardened? was an example of something 100% easy
> to use :D
Unfortunately whilst easy to use is good the idea of rebuilding the
packages presented so far isn't going to be easy to setup.
Either you end up rebuilding the archive with PaX + SSP + etc and
distributing that, which then effectively becomes a fork, or you have
to update the buildd network to include these things *by default*
which is unlikely to happen in the short term.
> I agree with you, the packages should be just one branch: main.
> Al the packages should include the hardening features as they don't
> interrupt with the software.
That would be a worthy goal, and something I'd love to see. I
suspect that without real testing and a lot of motivation it is
unlikely to occur quickly though.
> > Now, if you're after creating SELinux, GRSecurity, and RSBAC policies,
> > those can be controlled by boot time parameters to the kernel. Also, as
> > long as they're off, there's no need for the user to install the policy.
> > ~ Those are the types of things that can *feasibly* be made optional,
> > because they don't require a recompile.
> Yes, i had the same idea, it's fine.
> Recompile WOULDN'T BE NEEDED in any way.
For those other things? No that is correct recompiling is not
required, however for SELinux at least there must be the creation
and distribution of policies. There was some discussion on this
on debian-devel a while back, which I understood to be a lot of
Of course no policy is going to apply to all users, so there
will be a bit of 'unsimpleness' involved for some.
> Yes, PaX flags, etc....
> I agree with you again, there's no need to separate the packages into
> two different brands/branchs.
So practically, how do you see going forward?
> I think we can collaborate, and i'm really interested in working
> together with the people of the debian project, also with the debian
> security crew (Steve!),
Assuming you mean me - I'm not associated with the Security people.
Just to be clear ..
> so, just tell me , i'm waiting for hear a big
> "We think it's great to work with it" and also i think my objectives are
I, personally, think that having the archive compiled with things
like PaX/SSP is a good thing. I suspect that testing it and getting
it all working is such a large effort that the buildds aren't going
to switch overnight (if ever) and that changing this is going to be
Practically I'm not sure what this means, the obvious course is
to build and test things then report back 'hey it works'. Whether
that will be sufficient to convince people remains to be seen -
especially as things look like they are changing anyway.
(GCC seem to be moving with mudflap and not integrating SSP for
> PS: Good night!
Good night - 23:38 here, and I'm going to the pub!