Re: NSA software in Debian
On Fri, 24 Jan 2014, Marko Randjelovic <firstname.lastname@example.org> wrote:
> > I would also like this. Yesterday I started compiling 3.2.54 with grsec
> > and PaX. A ready debian kernel(-source) with grsec and PaX would be
> > fine. Currently I am distributing my special packages via my own
> > repository - is there any concern when making it public (copyright,
> > etc.)?
> I managed to do it from official kernel 3.2.51-1. I removed all
> features/* patches without consideration because there were to many of
> them (905). Than I had to remove many other patches to resolve
> conflicts. If patch file f is patched consequently by patches p1, p2,
> if patch p1 is removed, then p2 may fail.
The correct thing to do is just prepare a GRSecurity patch that applies on top
of the Debian kernel patches. At one time (10+ years ago) I was maintaining
patches for GRSecurity and LSM/SELinux and doing this for every new Debian
kernel package and new version of GRSecurity and LSM/SELinux.
The above package looks like it needs some work. The description doesn't
appear to have been updated since LSM became part of the main kernel tree and
it references kernel 2.4.x.
Really what this all depends on is having people in Debian with the spare time
and kernel coding skill needed to just make the patches in question work. If
the above package doesn't cleanly apply against the kernel you want to use
then you could join in the coding work.
I think that anyone who has enough skill in kernel issues that the absense of
LSM hooks will provide them with an advantage when dealing with attackers
should be able to do such coding easily.
Marko it might be best if you have an off-list discussion with Laszlo about
how his package doesn't meet your requirements and how you might help him with
Laszlo, please don't take this as criticism. I know that maintaining such a
kernel patch for Debian is a difficult project, you have to deal with two
different upstreams that move at different speeds.
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/