Bug#810506: Opinion about linux-grsec in a stable release
On Wed, Mar 2, 2016 at 10:09:47 +0100, Yves-Alexis Perez wrote: > Hi teams, > > [first of all, I'm writing this with my linux-grsec hat, not my Debian > security team member hat, obviously] > > As you may know, src:linux-grsec was accepted in unstable earlier this year. > As a quick summary, this is a source linux package (forked from and > periodically rebased against src:linux) which generates a linux kernel with > the grsecurity hardening patch (the patch is mostly about fighting memory > corruptions bugs, but not only, I won't enter into details here to keep it > short, but more information can be found in the ITP bug #605090). > At this point I think it's not a good fit for stable. Something very much like backports, where you can update the package easily and often, seems like it'd make supporting the package easier. We only update (old)stable every few months, which depending on timing vs upstream releases could become quite awkward. Cheers, Julien
Bug#810506: Opinion about linux-grsec in a stable release
On Wed, Mar 02, 2016 at 09:01:34PM +0100, Yves-Alexis Perez wrote: > On mer., 2016-03-02 at 20:06 +0100, Moritz Muehlenhoff wrote: > > Before considering that, did anyone approch grsecurity whether we can get > > access to the grsecurity stable patches? We would most definitely have > > Debian > > funds to become grsecurity sponsors to obtain access to stable patches. > > I think that'd be something nice anyway, but… > > > > Whether that's possible/desirable by grsecurity is the question, though: > > Having the stable patches in Debian would make them available to the > > general public (including those sleazy embedded companies which made them > > change their distribution scheme). > > Indeed, I didn't even bother to ask because when you gain access to the stable > patches, you commit yourself to not make them available publicly, which is > obviously exactly what we would do. It's the release team's call, but IMO unless upstream changes their policy to allow public access to stable patches again, this seems rather like a case for a PPA or possibly backports (but they generally require backports from what is in testing). Cheers, Moritz
Bug#810506: Opinion about linux-grsec in a stable release
On mer., 2016-03-02 at 20:06 +0100, Moritz Muehlenhoff wrote: > Before considering that, did anyone approch grsecurity whether we can get > access to the grsecurity stable patches? We would most definitely have Debian > funds to become grsecurity sponsors to obtain access to stable patches. I think that'd be something nice anyway, but… > > Whether that's possible/desirable by grsecurity is the question, though: > Having the stable patches in Debian would make them available to the > general public (including those sleazy embedded companies which made them > change their distribution scheme). Indeed, I didn't even bother to ask because when you gain access to the stable patches, you commit yourself to not make them available publicly, which is obviously exactly what we would do. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#810506: Opinion about linux-grsec in a stable release
On Wed, Mar 02, 2016 at 10:09:47AM +0100, Yves-Alexis Perez wrote: > Hi teams, > > [first of all, I'm writing this with my linux-grsec hat, not my Debian > security team member hat, obviously] > > As you may know, src:linux-grsec was accepted in unstable earlier this year. > As a quick summary, this is a source linux package (forked from and > periodically rebased against src:linux) which generates a linux kernel with > the grsecurity hardening patch (the patch is mostly about fighting memory > corruptions bugs, but not only, I won't enter into details here to keep it > short, but more information can be found in the ITP bug #605090). > > When the package was accepted to unstable, I filed #810506 with severity > serious in order to prevent it to migrate to testing, because I wasn't really > sure it'd be fit for stable. > > There are two main aspects for this: > > - it's a new Linux kernel source package, next to the existing src:linux, so > that means code duplication > - due to the grsecurity release model, it's likely that it won't be possible > to stick with a major kernel version (4.3 right now, 4.4 upcoming), we would > have to upgrade to the latest major release (using stable uploads) Before considering that, did anyone approch grsecurity whether we can get access to the grsecurity stable patches? We would most definitely have Debian funds to become grsecurity sponsors to obtain access to stable patches. Whether that's possible/desirable by grsecurity is the question, though: Having the stable patches in Debian would make them available to the general public (including those sleazy embedded companies which made them change their distribution scheme). (However a determined, GPL violating embedded company who wants access to the stable patches would likely find a way anyway) Cheers, Moritz
Bug#810506: Opinion about linux-grsec in a stable release
Hi teams, [first of all, I'm writing this with my linux-grsec hat, not my Debian security team member hat, obviously] As you may know, src:linux-grsec was accepted in unstable earlier this year. As a quick summary, this is a source linux package (forked from and periodically rebased against src:linux) which generates a linux kernel with the grsecurity hardening patch (the patch is mostly about fighting memory corruptions bugs, but not only, I won't enter into details here to keep it short, but more information can be found in the ITP bug #605090). When the package was accepted to unstable, I filed #810506 with severity serious in order to prevent it to migrate to testing, because I wasn't really sure it'd be fit for stable. There are two main aspects for this: - it's a new Linux kernel source package, next to the existing src:linux, so that means code duplication - due to the grsecurity release model, it's likely that it won't be possible to stick with a major kernel version (4.3 right now, 4.4 upcoming), we would have to upgrade to the latest major release (using stable uploads) Even with this caveat, it seems that there is still interest from people (including me) to have src:linux-grsec included in a stable release. I asked the backport team about this [1], and they were not thrilled about this because backports are for packages to be included in the next Debian release (although the discussion isn't really over at that point). So I'm asking the security team and release team their opinion about this, in order to have a somehow formal answer which can get archived here. Do you think it'd be possible to have src:linux-grsec included in Stretch, with the two main points above? The answer doesn't need to be right now, in case you'd prefer seeing how things evolve in unstable for some time. Thank in advance, [1] https://lists.debian.org/debian-backports/2016/01/msg00027.html -- Yves-Alexis signature.asc Description: This is a digitally signed message part