On lun., 2012-06-25 at 09:49 +0000, Laszlo Boszormenyi (GCS) wrote: > Hi Yves-Alexis, > > On Mon, 2012-06-25 at 11:17 +0200, Yves-Alexis Perez wrote: > > > I noticed your upload of the latest Grsecurity patches to Debian. While I > > would very much like to have decent Grsecurity support in Debian, I'm not > > quite sure this package, in the current state, really helps that (I'm not > > sure > > shipping the patch itself makes sense anyway). > Users without decent internet connection may need this.
Yes, but they'll still need to download the Debian package somehow. Shipping binary packages makes sense because people can do mirror sync and be done (or use dvd, stuff like that). Shipping plain patch in binary packages, just like that, doesn't make much sense anyway. > > > Right now, the documentation mentions dh-kpatches and make-kpkg, and implies > > the patch could be applied to the Debian sources. That's just wrong. > No, please see README.2.4.2x . It states that since 2003, it just won't > apply to Debian kernels. First you have to unpatch the Debian > modifications. I run a 3.2 kernel (or maybe a 2.6). So README 2.4 doesn't exactly applies to anything. It should be renamed, or removed. In any case, all the documentation should be completely redone, imho. > > > Right now, the only difference with downloading upstream sources directly > > seems to be that you lack the GPG signature. > Again no, please see the source package, which contains the GPG signatures. That's not enough, the signature should be in the binary package. > > > I guess you might want to tune the package, either to adapt it to debian > > sources, or to properly document how to build the kernel (replacing > > make-kpkg > > by make deb-pkg for example), or maybe something else. > Maybe the package needs a tool added, which build the vanilla kernel > with grsecurity applied. > > > But I'm afraid right now the package, although now up2date, is just useless > > and confusing for users. > What do you propose? Drop make-kpkg stuff and add an own build tool? I have no idea what is your final intent with the package, I'm just saying that right now it's a bit inconsistent. > > > Sorry if the tone is a bit rude, it's not intended, I'm very much interested > > in ways to improve Grsecurity support in Debian. > Until we can discuss the views of the package, I don't count it as > rude. Please note that it would require way too much expertise and time > to always merge Debian changes with grsecurity. I know, I'm doing it, see #605090 and http://anonscm.debian.org/gitweb/?p=users/corsac/grsec-patches.git;a=summary > All in all, I think > SELinux is more common if you need restrictions on your Linux OS. To be honest, I don't use RBAC, I'm more interested by the PaX and generic Grsec hardening than by MAC. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
