Re: Linux 3.2 in wheezy

From: Brad Spengler <spender_at_nospam>
Date: Mon Jan 30 2012 - 13:02:22 GMT
To: Yves-Alexis Perez <corsac@debian.org>

> Indeed. Brad, I'm not sure if you received the initial mail, so if you
> have any comment???

It looks like there were quite a few messages I wasn't involved in ;)

Regarding minimizing the patchset, we do that already where we see
opportunities to do so. We used to carry a large constifying patch
which has now been replaced with a gcc plugin. Likewise with the kernel
stack clearing feature.

As far as gutting the patch for whatever features someone not involved
in the project thinks are the only ones necessary (I saw a few posts
in the thread asking for that) -- I don't think it's a good idea and
I'm not interested at all in assisting that.

If we're going to be in the business of telling other people what to do
with their free time, might I suggest that Debian improve its userland
hardening so that it's not in last place? As a Debian user myself, I
can assure you that no one cares about a miniscule performance hit from
PIE on i386 in su/passwd. There's no reason not to have these privilege
boundaries hardened -- and very disappointing for us as
MPROTECT/ASLR/GRKERNSEC_BRUTEFORCE would have provided an effective
deterrent against exploitation of the /proc/pid/mem vuln were it not
for distros' userland hardening being asleep on the job. That failure
will continue to bite users.

Frankly it makes more sense for me to offer .debs myself than to deal
with a bureaucracy and non-standard kernel in Debian. It contains
who-knows-what extra code, and I doubt anyone looked at any of it to see if
it allows for some way to leak information I prevent against a vanilla
kernel, or a way to bypass any other existing protection. There's more
to security (a whole-system concept) than just the ripping of individual
features.

-Brad

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/20120130130222.GA32686@grsecurity.net

This message: [ Message body ]
Next message: Ben Hutchings: "Re: Linux 3.2 in wheezy"
Previous message: Yves-Alexis Perez: "Re: Linux 3.2 in wheezy"
In reply to: Yves-Alexis Perez: "Re: Linux 3.2 in wheezy"
Next in thread: Peter Samuelson: "Re: Linux 3.2 in wheezy"
Reply: Peter Samuelson: "Re: Linux 3.2 in wheezy"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]