1 |
2017-04-29 14:47 GMT+02:00 Alex Efros <powerman@××××××××.name>: |
2 |
> Hi! |
3 |
> |
4 |
> On Sat, Apr 29, 2017 at 01:49:20PM +0200, Luis Ressel wrote: |
5 |
>> I suppose we all just grudgingly switch over to gentoo-sources? |
6 |
> |
7 |
> I wonder for how long time current kernel with grsec will be more safe and |
8 |
> protected against new exploits than up-to-date gentoo-sources… |
9 |
> Something new in security: avoid updates to have better protection. |
10 |
|
11 |
It's not about grsecurity, it's about PaX. This was the basic layer |
12 |
of protection. Gentoo Hardened has spent years working to provide PaX |
13 |
support in userland. It was the core of this project. Alpine Linux and |
14 |
others are also based on PaX. After years of building _trust_, it all |
15 |
disappears overnight. You can use Grsecurity, you can use SELinux, you |
16 |
can use RSBAC, but you do not have a good alternative for PaX. And |
17 |
this is an existential problem for all these projects. By the way, I |
18 |
don't know what the Gentoo Hardened or Alpine Linux have done wrong, |
19 |
that now are left out in the cold. |
20 |
|
21 |
Instead of complaining, we have to decide what to do next. In my |
22 |
opinion, it is critical to maintain support for PaX* for future |
23 |
kernels. It will not be easy, so I'm right away saying that Gentoo |
24 |
Hardened, Alpine Linux etc. should join forces in realizing this |
25 |
project. I think there will be more people who will be interested |
26 |
in... |
27 |
|
28 |
* https://www.grsecurity.net/~paxguy1/ |
29 |
|
30 |
Daniel |