User: Password:
|
|
Subscribe / Log in / New account

Tightening security: Time to prioritize it!!

Tightening security: Time to prioritize it!!

Posted Jul 12, 2012 12:26 UTC (Thu) by spender (subscriber, #23067)
In reply to: Tightening security: Time to prioritize it!! by BenHutchings
Parent article: Tightening security: not for the impatient

Ben seems to be referring to my only public comment on the Debian list regarding packaging grsecurity. For the others reading, here's my comment in its entirety:
http://lists.debian.org/debian-kernel/2012/01/msg01165.html

Anyone is free to do what they want, of course. I just don't recommend the use of such kernels, as over the years I've noticed several things:

1) Our development is very active, yet any 3rd-party packaging has always lagged (often quite badly). In fact just yesterday I had someone on the forums waste my time trying to get help compiling his "grsecurity" kernel that turned out to be a 2 year old Debian source of it.
2) Security isn't obtained by lifting individual features, and you can't just toss some code into a codebase and claim it works as intended just because it applies cleanly. I'll be giving a talk in October at H2HC where in part I'll talk about some security features that were ripped from grsecurity and submitted upstream, then neglected to the point where they no longer do what they claim.
3) When it comes to security features, I argue the same as in Plato's "Ion", that a security researcher with kernel development experience would know best how it should be merged to preserve its integrity. Not a kernel developer lacking security knowledge, and definitely not someone just testing to see if two codebases compile when merged.

I don't think any of the above is unreasonable. BTW, instead of making snide remarks, might your time be better served backporting some more missing security fixes to 3.2? ;)

-Brad


(Log in to post comments)

Tightening security: Time to prioritize it!!

Posted Jul 13, 2012 1:36 UTC (Fri) by BenHutchings (subscriber, #37955) [Link]

In fact just yesterday I had someone on the forums waste my time trying to get help compiling his "grsecurity" kernel that turned out to be a 2 year old Debian source of it.

Not an official Debian package, of course.

BTW, instead of making snide remarks, might your time be better served backporting some more missing security fixes to 3.2? ;)

My remark was intended more as a joke that it's very easy to satisfy people who want me (or rather us) not to work on something. Less funny when it has to be explained, I suppose. As for backporting security fixes, I try, but surely you consider me incompetent to do so?

Tightening security: Time to prioritize it!!

Posted Jul 13, 2012 2:45 UTC (Fri) by spender (subscriber, #23067) [Link]

In that case, sorry -- I shouldn't have assumed. FWIW you do a good job backporting with much attention to detail. My comments were more about merging of security features as opposed to fixes for a particular bug. Features generally require ongoing maintenance and re-evaluation.

-Brad


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds