On 18/04/14 08:15 PM, Allan McRae wrote: > On 19/04/14 07:11, Tom Gundersen wrote: >> On Wed, Apr 16, 2014 at 6:09 AM, Daniel Micay <danielmi...@gmail.com> wrote: >>> There has been a recent surge of interest in securing Arch by paying >>> closer attention to CVEs and addressing many security issues in our >>> packages. I also started some initial work/documenting on securing the >>> services shipped in various packages: >>> >>> https://wiki.archlinux.org/index.php/DeveloperWiki:Service_isolation >> >> I'm very happy that more people are now looking at security related >> things in Arch. Nice work! >> >>> To go along with this, I'm interested in maintaining the grsecurity >>> kernel and userspace tools in [community] to provide a hardened kernel >>> and role-based access control system. This would be the first case of an >>> alternative kernel in the repositories, so I'm open to discussion about >>> whether it's appropriate to do this. There are also some issues relevant >>> to other packages in the repositories. >> >> Hmm, grsec seems like a dead-end to me. It will never land upstream, >> and hence will never be in our standard kernel and our default >> packages will therefore never be integrated with it. So whatever work >> you do will have to live independently in perpetuity. At worst it >> would split our (very limited) development and QA resources. >> >> Would it not make more sense to focus on some other security features >> that are actually upstream and which can then at least potentially be >> merged into our default packages eventually? >> >> Maybe another option, if you really think grsec is the way to go, >> would be to simply create a new unofficial repository and put the >> packages there instead? > > I'd say an unofficial repo is the way to go for the time being. > linux-grsec in the AUR only has 44 votes, so it is not screaming out for > inclusion in the repos. > > Allan >
Users have been asking for MAC to be provided in the repositories for a long time. At the moment, two bugs are open about it: https://bugs.archlinux.org/task/37578 https://bugs.archlinux.org/task/39852 Any of these reported bugs could simply be closed with the response that the grsecurity RBAC is provided in the repositories and there's no one interested in maintaining another. I think that's a response most people would be satisfied with, but users aren't going to be very happy with an a WONTFIX simply saying Arch has no official support for any of this.
signature.asc
Description: OpenPGP digital signature