Bug#678942: linux-patch-grsecurity2: doesn't apply against Debian kernel sources, documentation misleading
Package: linux-patch-grsecurity2 Version: 2.9.1+3.2.21-201206221855-1 Severity: important Hey, I noticed your upload of the latest Grsecurity patches to Debian. While I would very much like to have decent Grsecurity support in Debian, I'm not quite sure this package, in the current state, really helps that (I'm not sure shipping the patch itself makes sense anyway). Right now, the documentation mentions dh-kpatches and make-kpkg, and implies the patch could be applied to the Debian sources. That's just wrong. Right now, the only difference with downloading upstream sources directly seems to be that you lack the GPG signature. I guess you might want to tune the package, either to adapt it to debian sources, or to properly document how to build the kernel (replacing make-kpkg by make deb-pkg for example), or maybe something else. But I'm afraid right now the package, although now up2date, is just useless and confusing for users. Sorry if the tone is a bit rude, it's not intended, I'm very much interested in ways to improve Grsecurity support in Debian. Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages linux-patch-grsecurity2 depends on: ii bash 4.2-2 ii dctrl-tools [grep-dctrl] 2.22.2 ii debconf [debconf-2.0] 1.5.44 ii patch 2.6.1-3 Versions of packages linux-patch-grsecurity2 recommends: ii gradm2 2.9.1~201206091838-1 ii kernel-package 12.036+nmu2 pn linux-patch-debian-3.2 none ii linux-source-3.23.2.21-1 linux-patch-grsecurity2 suggests no packages. -- debconf information: * linux-patch-grsecurity2/2.1.3-security: * linux-patch-grsecurity2/2.1.2-security: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#678942: linux-patch-grsecurity2: doesn't apply against Debian kernel sources, documentation misleading
Hi Yves-Alexis, On Mon, 2012-06-25 at 11:17 +0200, Yves-Alexis Perez wrote: I noticed your upload of the latest Grsecurity patches to Debian. While I would very much like to have decent Grsecurity support in Debian, I'm not quite sure this package, in the current state, really helps that (I'm not sure shipping the patch itself makes sense anyway). Users without decent internet connection may need this. Right now, the documentation mentions dh-kpatches and make-kpkg, and implies the patch could be applied to the Debian sources. That's just wrong. No, please see README.2.4.2x . It states that since 2003, it just won't apply to Debian kernels. First you have to unpatch the Debian modifications. Right now, the only difference with downloading upstream sources directly seems to be that you lack the GPG signature. Again no, please see the source package, which contains the GPG signatures. I guess you might want to tune the package, either to adapt it to debian sources, or to properly document how to build the kernel (replacing make-kpkg by make deb-pkg for example), or maybe something else. Maybe the package needs a tool added, which build the vanilla kernel with grsecurity applied. But I'm afraid right now the package, although now up2date, is just useless and confusing for users. What do you propose? Drop make-kpkg stuff and add an own build tool? Sorry if the tone is a bit rude, it's not intended, I'm very much interested in ways to improve Grsecurity support in Debian. Until we can discuss the views of the package, I don't count it as rude. Please note that it would require way too much expertise and time to always merge Debian changes with grsecurity. All in all, I think SELinux is more common if you need restrictions on your Linux OS. Regards, Laszlo/GCS -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#678942: linux-patch-grsecurity2: doesn't apply against Debian kernel sources, documentation misleading
On lun., 2012-06-25 at 09:49 +, Laszlo Boszormenyi (GCS) wrote: Hi Yves-Alexis, On Mon, 2012-06-25 at 11:17 +0200, Yves-Alexis Perez wrote: I noticed your upload of the latest Grsecurity patches to Debian. While I would very much like to have decent Grsecurity support in Debian, I'm not quite sure this package, in the current state, really helps that (I'm not sure shipping the patch itself makes sense anyway). Users without decent internet connection may need this. Yes, but they'll still need to download the Debian package somehow. Shipping binary packages makes sense because people can do mirror sync and be done (or use dvd, stuff like that). Shipping plain patch in binary packages, just like that, doesn't make much sense anyway. Right now, the documentation mentions dh-kpatches and make-kpkg, and implies the patch could be applied to the Debian sources. That's just wrong. No, please see README.2.4.2x . It states that since 2003, it just won't apply to Debian kernels. First you have to unpatch the Debian modifications. I run a 3.2 kernel (or maybe a 2.6). So README 2.4 doesn't exactly applies to anything. It should be renamed, or removed. In any case, all the documentation should be completely redone, imho. Right now, the only difference with downloading upstream sources directly seems to be that you lack the GPG signature. Again no, please see the source package, which contains the GPG signatures. That's not enough, the signature should be in the binary package. I guess you might want to tune the package, either to adapt it to debian sources, or to properly document how to build the kernel (replacing make-kpkg by make deb-pkg for example), or maybe something else. Maybe the package needs a tool added, which build the vanilla kernel with grsecurity applied. But I'm afraid right now the package, although now up2date, is just useless and confusing for users. What do you propose? Drop make-kpkg stuff and add an own build tool? I have no idea what is your final intent with the package, I'm just saying that right now it's a bit inconsistent. Sorry if the tone is a bit rude, it's not intended, I'm very much interested in ways to improve Grsecurity support in Debian. Until we can discuss the views of the package, I don't count it as rude. Please note that it would require way too much expertise and time to always merge Debian changes with grsecurity. I know, I'm doing it, see #605090 and http://anonscm.debian.org/gitweb/?p=users/corsac/grsec-patches.git;a=summary All in all, I think SELinux is more common if you need restrictions on your Linux OS. To be honest, I don't use RBAC, I'm more interested by the PaX and generic Grsec hardening than by MAC. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part