Re: NSA software in Debian

[Marko Randjelovic <markoran@eunet.rs>]

On Thu, 23 Jan 2014 15:41:57 +0100
Kevin Olbrich <kolbrich@dolphin-it.de> wrote:

> >> A followup there links to the following bug, "linux-2.6: [RFC] Add a grsec featureset to Debian kernels":
> >> 
> >>    <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090>
> > 
> > This would of course be the real solution.
> 
> I would also like this. Yesterday I started compiling 3.2.54 with grsec and PaX. A ready debian kernel(-source) with grsec and PaX would be fine.
> Currently I am distributing my special packages via my own repository - is there any concern when making it public (copyright, etc.)?

I managed to do it from official kernel 3.2.51-1. I removed all
features/* patches without consideration because there were to many of
them (905). Than I had to remove many other patches to resolve
conflicts. If patch file f is patched consequently by patches p1, p2,
if patch p1 is removed, then p2 may fail. 

1. If p2 fails, then probably it's not needed, but it may, and it may
be a security patch. Thus it is very important all security patches be
clearly marked as such.
2. If p2 doesn't fail, then probably it's needed, but it's possible it's
not, and even that it makes a bug, and even that it makes a security
bug.

Thus, my opinion is that features patches make more problems than
benefit. There are newer kernels from backports repo. Currently,
among other patches, kernel 3.2.51-1 contains drm-3.4 patch, by which
you get something from kernel 3.4, and on the other hand you can simply
choose one of backported kernels: 3.9.6-1~bpo70+1, 3.10.5-1~bpo70+1,
3.10.11-1~bpo70+1, 3.11.10-1~bpo70+1, 3.12.6-2~bpo70+1.

-- 
Education is a process of making people see what is advanced and not
obvious, but it can also make us not see what is basic and obvious.

http://markorandjelovic.hopto.org