On jeu., 2011-09-01 at 05:20 +0100, Ben Hutchings wrote: > On Wed, 2011-08-31 at 18:33 +0200, Yves-Alexis Perez wrote: > > Ok, here's an updated patchset. > > > > Tarball can be found at > > http://molly.corsac.net/~corsac/debian/kernel-grsec/grsec-patches.tar.xz > > (and already extracted in grsec-patches/ folder). > > > > It's a folder with a quilt patche series > > > > * 01_support-linux-3.0.patch > > > > This is unrelated but needed to support linux3 naming scheme in > > genorig.py. > > Already done on trunk.
Ha, fair enough, I was wondering how people did the orig for 3.x :) Can this be committed to sid/, since it has 3.0 anyway? > > > * 02_force-hostcc-version.patch > > > > This one is needed because grsecurity ships two gcc (>= 4.5) plugins. > > Those need to be built with the same compiler version as the rest of the > > kernel, but right now they're built with HOSTCC which is not set right > > now, so defaults to 'gcc' which is gcc-4.6 at that time. So export > > HOSTCC to the (non CROSS_COMPILE) version. > > gcc plugins surely need to be built _for_ the compiler version used for > the kernel, not _by_ that version. I'm not sure about what you mean here. I assumed that building a gcc plugin with a given gcc version meant that it was built *for* this version (and thus forcing the compiler for those plugins to the same version used for the kernel meant the plugin would work at kernel build time). > > Also, you are changing HOSTCC for all build tools and not just these > plugins. Yes, as said on #debian-kernel this was because it seemed more logical to use the same thing everywhere and because at one point I had issues with building perf for squeeze 2.6.32 on a box where gcc was at 4.6. And in fact, afaict, I'm forcing HOSTCC for the whole build, but I have to admit I found that more consistent to have CC and HOSTCC at the same version. If you think it's a bad idea I can try to modify grsecurity patch to add it to the plugins Makefile (that'd be debian specific the same way I remove localversion) but kernelvariables looked like a good place. > > > 03_enable-strict-user-copy-check.patch > > > > This one in not directly involved with grsecurity. Could be enabled by > > itself (#639919) > > Without the strict check, the crap code produces a compile-time warning > and a run-time warning and *no copying*. With the strict check, the > crap code results in FTBFS (but only on i386 and s390!). So how is this > an improvement for us? I've replied to the specific bug so we can track it there, since it's unrelated (and is not needed per se on the grsecurity featureset). > > > 04_add-linux-grsec-base-templates.patch > > > > This one adds basic templates for a linux-grsec-base binary packages to > > be built by linux-2.6 but I still didn't figured out how to patch > > genorig.py to make it do it. > > Don't add such a package to linux-2.6. It should be a new source > package, like linux-base is now (after I initially made that mistake). Well, that's what I did when you suggested it (packaging is at http://anonscm.debian.org/gitweb/?p=collab-maint/linux-grsec-base.git;a=summary) but afaiui Bastian asked it not to be a new source package. Anyway, this can be dropped easily if not needed. > > > 05_add-grsec-featureset.patch > > > > This is the main part, adding the featureset and config. > > And linux-grsec-base, a second time! Woops, fixed :) > > > 06_grsecurity.patch > > > > The main grsecurity patch, not really readable since the quilt patch > > adds a patch :) It's basically the genuine grsecurity patch (right now > > grsecurity-2.2.2-3.0.4-201108301903.patch) with two little change: > > > > * removing the -grsec localversion > > * oneliner to make it apply against debian sources > > You should provide a gen-patch script to help in regenerating the patch. Yeah good point. At least localversion should be easy to filterdiff. And maybe add a specific .kernelvariables and the relevant include to the plugins Makefile. Thanks for the suggestion. Regards, -- Yves-Alexis Perez ANSSI/ACE/LAM
signature.asc
Description: This is a digitally signed message part
