On Tue, Apr 22, 2014 at 08:30:01PM +0100, Ben Hutchings wrote:
> On Mon, 2014-04-21 at 05:28 +0200, Carlos Alberto Lopez Perez wrote:
> > On 17/04/14 00:23, Aaron Zauner wrote:
> > > Now shipping grsec is a really good idea. I'd like to see that as well.
> > 
> > There has been an attempt to provide an official grsec-flavour of the
> > Debian kernel, but it didn't worked:
> > 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090
> > 
> > For those interested, Corsac provides packages:
> > 
> > https://wiki.debian.org/grsecurity
> 
> There was a recent discussion on -private where I think there was some
> consensus that a grsecurity kernel package could be included in Debian
> as a separate source package.

I'm a bit unsure about that consensus. Right now there are two attempts
to provide a grsecurity package for Debian:

- mine, which is about adding a grsec featureset to the src:linux
  package (so basically adding grsec patch on top of the Debian patches,
  and re-using everything else). This attempt was already NACK-ed by the
  kernel team;
- the Mempo/SameKernel attempt, which is about using a vanilla kernel
  and adding grsecurity on top of it (and, I guess, a .config which
  looks like the src:linux one)

The latter is much easier in term of management since all the
integration is done by spender (he's actually working on providing
.deb builds of grsec packages), so I didn't really consider it worthy to
investigate time on it since basically everyone can do it with a simple
script.

NOTE: I don't want to dismiss Mempo attempts, especially the
reproducible build part, and I also think it's valuable to provide our
users a grsec kernel as part of the distribution, just that I prefered
to go the featureset way.

I had the impression that adding a new copy of the linux sources was not
really something appreciated by the project, and re-using linux-source
(binary) package means the patch porting needs to be done anyway.

But if I'm wrong or if things have changed since them, and there's
indeed a consensus for the vanilla + grsecurity + make deb-pkg as an
easy way to provide grsec kernels in the Debian archive, then I'm all
for it.

Regards,
-- 
Yves-Alexis Perez

Attachment: signature.asc
Description: Digital signature

Reply via email to