Hi, On Wed, Jan 26, 2011 at 01:29:14PM +0100, Yves-Alexis Perez wrote: > Due to the performances concerns, I've decided to keep UDEREF and > KERNEXEC disabled on amd64 for now anyway, so those will disappear > (independently of the i386 decision).
This doesn't seem like a good idea. The bulk of heavy-duty kernel hardening is with KERNEXEC and UDEREF. If someone is interested in speed, they can choose i386. But if someone wants a hardened kernel and amd64, they should have the option. I'd leave those on for both. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
