Re: NSA software in Debian

To: debian-security@lists.debian.org
Cc: Marko Randjelovic <markoran@eunet.rs>, debian-kernel@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Subject: Re: NSA software in Debian
From: Russell Coker <russell@coker.com.au>
Date: Tue, 28 Jan 2014 20:29:52 +1100
Message-id: <[🔎] 201401282029.52340.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20140124114101.02727bde@eunet.rs>
References: <[🔎] 87000BDF-320B-403F-AC8C-E0BCC89DA622@yahoo.de> <[🔎] 157C3070-F95D-46BB-AD86-5602F6EAEB4C@dolphin-it.de> <[🔎] 20140124114101.02727bde@eunet.rs>

On Fri, 24 Jan 2014, Marko Randjelovic <markoran@eunet.rs> wrote:
> > I would also like this. Yesterday I started compiling 3.2.54 with grsec
> > and PaX. A ready debian kernel(-source) with grsec and PaX would be
> > fine. Currently I am distributing my special packages via my own
> > repository - is there any concern when making it public (copyright,
> > etc.)?
> 
> I managed to do it from official kernel 3.2.51-1. I removed all
> features/* patches without consideration because there were to many of
> them (905). Than I had to remove many other patches to resolve
> conflicts. If patch file f is patched consequently by patches p1, p2,
> if patch p1 is removed, then p2 may fail.

The correct thing to do is just prepare a GRSecurity patch that applies on top 
of the Debian kernel patches.  At one time (10+ years ago) I was maintaining 
patches for GRSecurity and LSM/SELinux and doing this for every new Debian 
kernel package and new version of GRSecurity and LSM/SELinux.

http://packages.debian.org/jessie/linux-patch-grsecurity2

The above package looks like it needs some work.  The description doesn't 
appear to have been updated since LSM became part of the main kernel tree and 
it references kernel 2.4.x.

Really what this all depends on is having people in Debian with the spare time 
and kernel coding skill needed to just make the patches in question work.  If 
the above package doesn't cleanly apply against the kernel you want to use 
then you could join in the coding work.

I think that anyone who has enough skill in kernel issues that the absense of 
LSM hooks will provide them with an advantage when dealing with attackers 
should be able to do such coding easily.

Marko it might be best if you have an off-list discussion with Laszlo about 
how his package doesn't meet your requirements and how you might help him with 
the coding.

Laszlo, please don't take this as criticism.  I know that maintaining such a 
kernel patch for Debian is a difficult project, you have to deal with two 
different upstreams that move at different speeds.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to:

Follow-Ups:
- Re: NSA software in Debian
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- NSA software in Debian
  - From: Marco Saller <marcosaller@yahoo.de>
- Re: NSA software in Debian
  - From: Kevin Olbrich <kolbrich@dolphin-it.de>
- Re: NSA software in Debian
  - From: Marko Randjelovic <markoran@eunet.rs>

Prev by Date: Re: [SECURITY] [DSA 2848-1] mysql-5.5 security update
Next by Date: debcheckroot v1.0 released
Previous by thread: Re: NSA software in Debian
Next by thread: Re: NSA software in Debian
Index(es):
- Date
- Thread