On 2018-02-02 21:25:31, Moritz Mühlenhoff wrote:
> Antoine Beaupré wrote:
>> There are, however, people *not* running Debian-built kernels, and
>> sometimes for good reasons. This is a configuration that we should
>> still support.
>
> Is it supported, but it's also clearly documented that people need to
> enable this sysctl for custom kernels:
> https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
True. I guess what I'm arguing for is to do this explicitly from here
on.
>> Incidentally, I wonder if we should remove the patch we have on the
>> Debian kernels to change the defaults, and instead rely on the
>> sysctl. I have added the kernel team in CC to have their input.
>
> Why revert the kernel? That doesn't buy us anything. It would be
> better to ask upstream to revisit this decision (e.g. by contacting
> KSPP mailing list). I suppose that SuSE, Ubuntu and Red Hat have
> are shipping similar patches/defaults, so it's probably safe to say
> that those protections are now the status quo (as opposed to five
> years ago when that feature was freshly introduced).
It was just an idea: I'm fine with keeping the patch and I think it's a
good idea to enforce this in two places, to keep defense in depth.
I'm not sure I want to go through the emotional trauma of trying to
bring this upstream, unfortunately. ;)
Thanks for the response.
A.
--
All governments are run by liars and nothing they say should be
believed.
- I. F. Stone
