Re: Linux 3.2 in wheezy

To: Yves-Alexis Perez <corsac@debian.org>
Cc: debian-kernel@lists.debian.org, debian-devel@lists.debian.org, debian-security@lists.debian.org, 605090@bugs.debian.org, spender@grsecurity.net
Subject: Re: Linux 3.2 in wheezy
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 30 Jan 2012 14:08:18 +0000
Message-id: <1327932498.5400.432.camel@deadeye>
In-reply-to: <1327917933.2285.18.camel@scapa>
References: <20120129182205.GR12704@decadent.org.uk> <1327867067.13223.3.camel@hidalgo> <1327872371.5400.375.camel@deadeye> <1327917933.2285.18.camel@scapa>

On Mon, 2012-01-30 at 11:05 +0100, Yves-Alexis Perez wrote:
> (adding few CC:s to keep track on the bug)
> 
> On dim., 2012-01-29 at 21:26 +0000, Ben Hutchings wrote:
> > On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote:
> > > On dim., 2012-01-29 at 18:22 +0000, Ben Hutchings wrote:
> > > > Featuresets
> > > > -----------
> > > > 
> > > > The only featureset provided will be 'rt' (realtime), currently built
> > > > for amd64 only.  If there is interest in realtime support for other
> > > > architectures, we may be able to add that.  However, we do need to
> > > > consider the total time taken to build binary packages for each
> > > > architecture.
> > > > 
> > > > If there are particular container features that should be enabled or
> > > > backported to provide a useful replacement for OpenVZ or VServer,
> > > > please let us know.  We cannot promise that these will all be enabled
> > > > but we need to know what is missing. 
> > > 
> > > So in the end what are the reasons for not trying the grsecurity
> > > featureset? #605090 lacks any reply from the kernel team since quite a
> > > while, and especially after answers were provided to question asked.
> > 
> > You already know the main reason:
> > > Feature-wise, Brad Sprengler and the PaX team still add stuff, like the
> > > gcc plugins or hardening features like symbols hiding, fix bugs (for
> > > example in RBAC code), while few of them reach mainline.
> > 
> > I realise that the mainline Linux developers have sometimes been
> > unreasonably resistant to these changes and I'm not intending to assign
> > blame for this.  But practically this means that we have to either carry
> > the featureset indefinitely or disappoint users by removing it in a
> > later release.  (See the complaints about removing OpenVZ in wheezy
> > despite 4 years' advance notice of this.)
> 
> I understand this, and I still see the grsec featureset as a valuable
> project. Indeed, reducing the diff wrt. upstream in Debian kernel is an
> important goal (especially considering the time involvement).
> 
> Now, I still think having a hardened Debian kernel inside the
> distribution is helpful
[...]

I agree and I would like to see hardening of *all* our configurations,
where the performance cost is not too much.  That's going to protect all
our users rather than just people who seek out a special paranoid
configuration.

Ben.

-- 
Ben Hutchings
Lowery's Law:
             If it jams, force it. If it breaks, it needed replacing anyway.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: Bug#605090: Linux 3.2 in wheezy
  - From: Yves-Alexis Perez <corsac@debian.org>

References:
- Re: Linux 3.2 in wheezy
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Re: Linux 3.2 in wheezy
Next by Date: Re: Testers needed for Tomcat security update
Previous by thread: Re: Linux 3.2 in wheezy
Next by thread: Re: Bug#605090: Linux 3.2 in wheezy
Index(es):
- Date
- Thread