On 9/6/05, Grzegorz Bizon <[EMAIL PROTECTED]> wrote: > Anyway, I just wonder what is wrong about grsecurity
For starters, the upstream developer claims [1, 2] to engage in the morally reprehensible practice of selling 0-day exploits he finds in competing products to blackhats. This also casts doubt on the trustworthiness of his *own* code, since any undiscovered (read: not publicly disclosed) vulnerabilities/holes/etc in Grsecurity are a potential revenue stream for him. Not that my opinion carries much weight, but I personally feel that this massive conflict of interest means that Grsecurity should never be supported by Debian in any way whatsoever. [1] http://lwn.net/Articles/111437/ - "Does RedHat buy exploits for their own code? If so, how much would RedHat pay for information on an information leaking vulnerability in SELinux for a physical, local user? I've sold all my Exec-Shield exploits (that still work!), otherwise I'd offer those as well ;\" [2] http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1315.html -- Andrew Saunders
