Ok so the tarball on the website isn't really convenient so, for now,
I've put the quilt serie on a git repository on git.d.o:
http://anonscm.debian.org/gitweb/?p=users/corsac/grsec-patches.git;a=summary
The master branch for is for the "sid" branch in debian kernel svn, and
there's a squeeze branch too (though it's for now out of date).
I've updated the patches to the latest svn (sid) version and the latest
grsecurity/pax patches and I'll put updated packages on my server
tonight.
Could we move forward on this?
Regards,
--
Yves-Alexis Perez
ANSSI/ACE/LAM
10-11-2011, 07:10 PM
Yves-Alexis Perez
Bug#605090: update on featureset
On mar., 2011-10-11 at 16:52 +0200, Yves-Alexis Perez wrote:
>
> I've updated the patches to the latest svn (sid) version and the latest
> grsecurity/pax patches and I'll put updated packages on my server
> tonight.
Packages are available on:
deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/
Regards,
--
Yves-Alexis
11-10-2011, 01:46 PM
Yves-Alexis Perez
Bug#605090: update on featureset
On mar., 2011-10-11 at 16:52 +0200, Yves-Alexis Perez wrote:
> Ok so the tarball on the website isn't really convenient so, for now,
> I've put the quilt serie on a git repository on git.d.o:
> http://anonscm.debian.org/gitweb/?p=users/corsac/grsec-patches.git;a=summary
Now upgraded to grsecurity 2.2.2-3.0.8-201110250925 against
linux-2.6_3.0.0-6.
Package (i386 and amd64) should be available on:
deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/
tonight.
>
> Could we move forward on this?
Since I got not reply at all after this mail, I'm asking again. I know
people are busy and I know this bug is not the easiest to handle, but
I'd really like to move on.
Since the RT featureset was added not that long ago, I guess the concept
of featureset is still welcome. I know the situation is different, but
still, I really think Debian users would appreciate a grsecurity
featureset, which wouldn't harm other people kernels thanks to the
alternate image.
Regards,
--
Yves-Alexis Perez
ANSSI/ACE/LAM
11-10-2011, 02:24 PM
Ben Hutchings
Bug#605090: update on featureset
On Thu, 2011-11-10 at 15:46 +0100, Yves-Alexis Perez wrote:
> On mar., 2011-10-11 at 16:52 +0200, Yves-Alexis Perez wrote:
> > Ok so the tarball on the website isn't really convenient so, for now,
> > I've put the quilt serie on a git repository on git.d.o:
> > http://anonscm.debian.org/gitweb/?p=users/corsac/grsec-patches.git;a=summary
>
> Now upgraded to grsecurity 2.2.2-3.0.8-201110250925 against
> linux-2.6_3.0.0-6.
>
> Package (i386 and amd64) should be available on:
>
> deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/
>
> tonight.
> >
> > Could we move forward on this?
>
> Since I got not reply at all after this mail, I'm asking again. I know
> people are busy and I know this bug is not the easiest to handle, but
> I'd really like to move on.
>
> Since the RT featureset was added not that long ago, I guess the concept
> of featureset is still welcome. I know the situation is different, but
> still, I really think Debian users would appreciate a grsecurity
> featureset, which wouldn't harm other people kernels thanks to the
> alternate image.
Every extra featureset that requires additional effort from the existing
team members reduces the effort that can be spent on other tasks.
Is the grsecurity patch getting bigger or smaller over time?
Ben.
--
Ben Hutchings
You can't have everything. Where would you put it?
11-10-2011, 03:44 PM
Yves-Alexis Perez
Bug#605090: update on featureset
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 10/11/2011 16:24, Ben Hutchings wrote:
> Every extra featureset that requires additional effort from the existing
> team members reduces the effort that can be spent on other tasks.
Yes, I definitely understand that, and I really intend to provide enough
help to minimize the burdain on existing team members which don't care
about that featureset.
>
> Is the grsecurity patch getting bigger or smaller over time?
It's a bit hard to tell. Putting aside the various security backports
(mainly relevant for the 2.6.32 patch), the size seems to have decreased
a little since 2.6.39 (and risen in the 3.0 serie).
Feature-wise, Brad Sprengler and the PaX team still add stuff, like the
gcc plugins or hardening features like symbols hiding, fix bugs (for
example in RBAC code), while few of them reach mainline.
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4EBBFF75.1080105@ssi.gouv.fr">http://lists.debian.org/4EBBFF75.1080105@ssi.gouv.fr
11-10-2011, 04:06 PM
Moritz Muehlenhoff
Bug#605090: update on featureset
On Thu, Nov 10, 2011 at 05:44:37PM +0100, Yves-Alexis Perez wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 10/11/2011 16:24, Ben Hutchings wrote:
> > Every extra featureset that requires additional effort from the existing
> > team members reduces the effort that can be spent on other tasks.
>
> Yes, I definitely understand that, and I really intend to provide enough
> help to minimize the burdain on existing team members which don't care
> about that featureset.
> >
> > Is the grsecurity patch getting bigger or smaller over time?
>
> It's a bit hard to tell. Putting aside the various security backports
> (mainly relevant for the 2.6.32 patch), the size seems to have decreased
> a little since 2.6.39 (and risen in the 3.0 serie).
>
> Feature-wise, Brad Sprengler and the PaX team still add stuff, like the
> gcc plugins or hardening features like symbols hiding, fix bugs (for
> example in RBAC code), while few of them reach mainline.
Maybe we can ask upstream, whether the RBAC code and the rest of the
patch set can be separated? I don't think there's much interest in RBAC
for a Debian feature set, while the rest is quite interesting.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20111110170640.GB23794@inutil.org">http://lists.debian.org/20111110170640.GB23794@inutil.org
11-10-2011, 04:16 PM
Yves-Alexis Perez
Bug#605090: update on featureset
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 10/11/2011 18:06, Moritz Muehlenhoff wrote:
> Maybe we can ask upstream, whether the RBAC code and the rest of the
> patch set can be separated? I don't think there's much interest in RBAC
> for a Debian feature set, while the rest is quite interesting.
>
Unfortunately, I already asked upstream about a nicely splitted patch,
but Brad didn't seem interested back in time. It might be worth
re-asking though.
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4EBC0708.4020204@ssi.gouv.fr">http://lists.debian.org/4EBC0708.4020204@ssi.gouv.fr
Bug#605090: update on featureset
