On Thu, 2019-08-15 at 12:00 +, Patrick Schleizer wrote:
> Package: linux
> Severity: wishlist
> X-Debbugs-CC: whonix-de...@whonix.org
>
> Dear maintainer,
>
> Could you please consider review and merge of linux-hardened patches
> (free, Libre alternative to grsecurity).
>
> https://github.com/anthraxx/linux-hardened
>
> Alternatively perhaps as a separate package.
>
> RFP: linux-hardened - hardened Linux kernel
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934751
Any large patch set that is not upstream would need to be applied as an
optional "featureset". (The "lockdown" patch set has been an exception
to this because Secure Boot was an obstacle to installing Debian and we
needed to support in the default kernel.) The requirements for a
featureset are roughly:
* Its developers should be actively working to get those patches
upstream.
* There must be at least someone within the kernel team who takes
responsibility for maintaining it.
* It should have regular verifiable releases. (Also, if it isn't
updated for a new upstream version, we won't wait for it but will
disable building it temporarily.)
I would much prefer to see hardening changes that we can apply by
default, protecting the majority of Debian systems. We do apply some
small patches so that we can enable building high-risk features but
have them disabled at run-time by default. Even though these aren't
upstream, they rarely require work to apply to new upstream versions.
I would certainly be open to changes of this sort.
Ben.
--
Ben Hutchings
The obvious mathematical breakthrough [to break modern encryption]
would be development of an easy way to factor large prime numbers.
- Bill Gates
signature.asc
Description: This is a digitally signed message part
