Bug#605090: [grsec] update on featureset
On mar., 2011-10-11 at 16:52 +0200, Yves-Alexis Perez wrote: Ok so the tarball on the website isn't really convenient so, for now, I've put the quilt serie on a git repository on git.d.o: http://anonscm.debian.org/gitweb/?p=users/corsac/grsec-patches.git;a=summary Now upgraded to grsecurity 2.2.2-3.0.8-201110250925 against linux-2.6_3.0.0-6. Package (i386 and amd64) should be available on: deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/ tonight. Could we move forward on this? Since I got not reply at all after this mail, I'm asking again. I know people are busy and I know this bug is not the easiest to handle, but I'd really like to move on. Since the RT featureset was added not that long ago, I guess the concept of featureset is still welcome. I know the situation is different, but still, I really think Debian users would appreciate a grsecurity featureset, which wouldn't harm other people kernels thanks to the alternate image. Regards, -- Yves-Alexis Perez ANSSI/ACE/LAM signature.asc Description: This is a digitally signed message part
Bug#605090: [grsec] update on featureset
On Thu, 2011-11-10 at 15:46 +0100, Yves-Alexis Perez wrote: On mar., 2011-10-11 at 16:52 +0200, Yves-Alexis Perez wrote: Ok so the tarball on the website isn't really convenient so, for now, I've put the quilt serie on a git repository on git.d.o: http://anonscm.debian.org/gitweb/?p=users/corsac/grsec-patches.git;a=summary Now upgraded to grsecurity 2.2.2-3.0.8-201110250925 against linux-2.6_3.0.0-6. Package (i386 and amd64) should be available on: deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/ tonight. Could we move forward on this? Since I got not reply at all after this mail, I'm asking again. I know people are busy and I know this bug is not the easiest to handle, but I'd really like to move on. Since the RT featureset was added not that long ago, I guess the concept of featureset is still welcome. I know the situation is different, but still, I really think Debian users would appreciate a grsecurity featureset, which wouldn't harm other people kernels thanks to the alternate image. Every extra featureset that requires additional effort from the existing team members reduces the effort that can be spent on other tasks. Is the grsecurity patch getting bigger or smaller over time? Ben. -- Ben Hutchings You can't have everything. Where would you put it? signature.asc Description: This is a digitally signed message part
Bug#605090: [grsec] update on featureset
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/11/2011 16:24, Ben Hutchings wrote: Every extra featureset that requires additional effort from the existing team members reduces the effort that can be spent on other tasks. Yes, I definitely understand that, and I really intend to provide enough help to minimize the burdain on existing team members which don't care about that featureset. Is the grsecurity patch getting bigger or smaller over time? It's a bit hard to tell. Putting aside the various security backports (mainly relevant for the 2.6.32 patch), the size seems to have decreased a little since 2.6.39 (and risen in the 3.0 serie). Feature-wise, Brad Sprengler and the PaX team still add stuff, like the gcc plugins or hardening features like symbols hiding, fix bugs (for example in RBAC code), while few of them reach mainline. Regards, - -- Yves-Alexis Perez ANSSI/ACE/LAM -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) iQIcBAEBCgAGBQJOu/91AAoJENcc3UqWxbaOkVAQAK5kcuOvmrASldaP0c/CpvXm AgQBfFLhPJjO8KxB/qDhdAcc4m9Kn7rYbmbFgHi5ujdHu99ccki1+wzZv12LFZkc VzNs12RQT8OboxQybfNcsRRgledwRGOCIefkKM91z05YSLBOmxNalpC//mcEqx+Y rSvoZ/+/X/ZFp7krKHULR2oeqJFohjBejnS3/6eLSQDN8HCvGi0QN/MF45X9O+aE vVhfzkDAV3LuyYXOi82Vi9y01W/7KtLbTGf8TEi7vh2XWwrdzHagnc/Lg28adxfu QaL/ufabLUY34fdB0R5AfSjKcpnyX4J/tpDEWeObtQTMQc/p/kb0yJXWBTAk3azI /PlF63OUxUhOh9wFASbYR5nZC+e8ToATA3XAYJ/nGoXKvC2vxD73DIk7jspgstS0 bVYLcuSQ4ZkxG2w3CmbgqdF0/92JTZ5PQEvL/0lM2lwYDFt4cZ4kY2xDK+7uo0uD 8j5Js51T0PPROhg0wKK3Zk5wxnReUj8sOnfB96GtCc8x05N5CCxr49pi6Zfdk6BM yO1tfvq75x9jfspzAv+mkhZDbfo47NcbKYLM+aZvJGKHavqCU0ejSOTCSNgsH8og cY8/tEhIMd3dSY4IXmj8eHl3gSVTkzwRDpRVpGxmicf3HGlfs2tMpLAtiRY4JS8I eOmxJ7Wbkpv5dstazq8y =eBwV -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ebbff75.1080...@ssi.gouv.fr
Bug#605090: [grsec] update on featureset
On Thu, Nov 10, 2011 at 05:44:37PM +0100, Yves-Alexis Perez wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/11/2011 16:24, Ben Hutchings wrote: Every extra featureset that requires additional effort from the existing team members reduces the effort that can be spent on other tasks. Yes, I definitely understand that, and I really intend to provide enough help to minimize the burdain on existing team members which don't care about that featureset. Is the grsecurity patch getting bigger or smaller over time? It's a bit hard to tell. Putting aside the various security backports (mainly relevant for the 2.6.32 patch), the size seems to have decreased a little since 2.6.39 (and risen in the 3.0 serie). Feature-wise, Brad Sprengler and the PaX team still add stuff, like the gcc plugins or hardening features like symbols hiding, fix bugs (for example in RBAC code), while few of them reach mainline. Maybe we can ask upstream, whether the RBAC code and the rest of the patch set can be separated? I don't think there's much interest in RBAC for a Debian feature set, while the rest is quite interesting. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2010170640.gb23...@inutil.org
Bug#605090: [grsec] update on featureset
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/11/2011 18:06, Moritz Muehlenhoff wrote: Maybe we can ask upstream, whether the RBAC code and the rest of the patch set can be separated? I don't think there's much interest in RBAC for a Debian feature set, while the rest is quite interesting. Unfortunately, I already asked upstream about a nicely splitted patch, but Brad didn't seem interested back in time. It might be worth re-asking though. Regards, - -- Yves-Alexis Perez ANSSI/ACE/LAM -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) iQIcBAEBCgAGBQJOvAcIAAoJENcc3UqWxbaOK3cP/jUKp59eQbTfQ30JmQsAtKFB 3A2r9PRFvs0eex7O/DYXz2Ua/MFnfCxYg2Xuv79aqH+8mBX/WlmNmZfL7uHCT3Zx AgvT6A4LFxm5HNtQV4xnqflmEaxFCWBxVgv39ITeCvNKfxXKM6tYIXmb38GEhB79 srxrL1wW7Kad62YXngQeltTWbJIkWBBgcC29zERXpY/DDoQhwAvel4jSTu+L54NB zmc8X3YI7gcwMq0Xke+aPNqGu+IfQaUpOu8BVa3WwxN8fNhYkDddkmrJ2YdpcjeJ sawNl08d6zgZWntDTKe/KjvJpV9goxP/jKR9vUFYgSl+S90tGKzMzpAQFddgwTh9 h422D1Pbd9swyHQ32AN2RIxVEAf6zXcyZPpGw5NSdsbwu3A+1A4/BsTDkVNOKarq msS+0tFwSdwqe8aOvFawenuHmh1s33c6urZn6Bve6a1tWCTs1Lapydcl34VYAJrX ii5zsBAlA/Vl3NujUh8V0rvYzHADB4qjQFIUS+TyEEOaHLVBK4/fUlcGxZnS4HcV 6lw/+Nm7nSbgwBv7lbGRJwOgoT38KRNsh/03IQyC8qNLooHn31HJvctGxMt+o7Hu E2HqxJC2SPBQGoPXQdqRHK+Bi2z/ukS4u3dtfWsBZxkQQVi9w3Zq7Ele6dx7cXvb YOF14DsTQbVkg+hgaptH =j3zh -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ebc0708.4020...@ssi.gouv.fr
Bug#605090: [grsec] update on featureset
Ok so the tarball on the website isn't really convenient so, for now, I've put the quilt serie on a git repository on git.d.o: http://anonscm.debian.org/gitweb/?p=users/corsac/grsec-patches.git;a=summary The master branch for is for the sid branch in debian kernel svn, and there's a squeeze branch too (though it's for now out of date). I've updated the patches to the latest svn (sid) version and the latest grsecurity/pax patches and I'll put updated packages on my server tonight. Could we move forward on this? Regards, -- Yves-Alexis Perez ANSSI/ACE/LAM signature.asc Description: This is a digitally signed message part
Bug#605090: [grsec] update on featureset
On mar., 2011-10-11 at 16:52 +0200, Yves-Alexis Perez wrote: I've updated the patches to the latest svn (sid) version and the latest grsecurity/pax patches and I'll put updated packages on my server tonight. Packages are available on: deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/ Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part