Hey, This patch-set should replace linux-patch-grsecurity2.This patch-set provides excellent default settings and capability. For example, the user and group setup helps with creating consistent access user and group ids across servers. Most of the default kernel settings match with gentoo's hardened project kernel settings. Since this patch-set integrates with debian patch-sets, servers get benefits from both patch-sets. And, admins don't have to choose between patching the vanilla sources or resolving conflicts between the debian and grsec patch-sets.
I believe a statistic needs to be done on how much of the grsec feature set is used by grsec users. For example, I use RBAC instead of SELINUX and Tomoyo almost always. There's also things like extra chroot security features that should be taken into consideration. My hypothesis for this statistic is that most grsec users use RBAC as well. For those that don't, I understand that a split between larger and smaller feature sets, PAX vs RBAC, would be helpful. For this split to happen, with grsec's history, I think a large interest needs to be shown for them to split the patch-set. So, if this is accepted, maybe the level of interest needed to get a split patch will be generated. Currently, I like this as a patch-set more than a binary because of security conflicts with things like xen. However, if I wasn't using xen, I would use the binary. (Note: I accidently sent this message to 605090-subscr...@bugs.debian.org first.) -
