On 19/04/14 07:11, Tom Gundersen wrote: > On Wed, Apr 16, 2014 at 6:09 AM, Daniel Micay <[email protected]> wrote: >> There has been a recent surge of interest in securing Arch by paying >> closer attention to CVEs and addressing many security issues in our >> packages. I also started some initial work/documenting on securing the >> services shipped in various packages: >> >> https://wiki.archlinux.org/index.php/DeveloperWiki:Service_isolation > > I'm very happy that more people are now looking at security related > things in Arch. Nice work! > >> To go along with this, I'm interested in maintaining the grsecurity >> kernel and userspace tools in [community] to provide a hardened kernel >> and role-based access control system. This would be the first case of an >> alternative kernel in the repositories, so I'm open to discussion about >> whether it's appropriate to do this. There are also some issues relevant >> to other packages in the repositories. > > Hmm, grsec seems like a dead-end to me. It will never land upstream, > and hence will never be in our standard kernel and our default > packages will therefore never be integrated with it. So whatever work > you do will have to live independently in perpetuity. At worst it > would split our (very limited) development and QA resources. > > Would it not make more sense to focus on some other security features > that are actually upstream and which can then at least potentially be > merged into our default packages eventually? > > Maybe another option, if you really think grsec is the way to go, > would be to simply create a new unofficial repository and put the > packages there instead?
I'd say an unofficial repo is the way to go for the time being. linux-grsec in the AUR only has 44 votes, so it is not screaming out for inclusion in the repos. Allan
