On 19/04/14 07:11, Tom Gundersen wrote:
On Wed, Apr 16, 2014 at 6:09 AM, Daniel Micay <danielmicay@gmail.com> wrote:
There has been a recent surge of interest in securing Arch by paying closer attention to CVEs and addressing many security issues in our packages. I also started some initial work/documenting on securing the services shipped in various packages:
https://wiki.archlinux.org/index.php/DeveloperWiki:Service_isolation
I'm very happy that more people are now looking at security related things in Arch. Nice work!
To go along with this, I'm interested in maintaining the grsecurity kernel and userspace tools in [community] to provide a hardened kernel and role-based access control system. This would be the first case of an alternative kernel in the repositories, so I'm open to discussion about whether it's appropriate to do this. There are also some issues relevant to other packages in the repositories.
Hmm, grsec seems like a dead-end to me. It will never land upstream, and hence will never be in our standard kernel and our default packages will therefore never be integrated with it. So whatever work you do will have to live independently in perpetuity. At worst it would split our (very limited) development and QA resources.
Would it not make more sense to focus on some other security features that are actually upstream and which can then at least potentially be merged into our default packages eventually?
Maybe another option, if you really think grsec is the way to go, would be to simply create a new unofficial repository and put the packages there instead?
I'd say an unofficial repo is the way to go for the time being. linux-grsec in the AUR only has 44 votes, so it is not screaming out for inclusion in the repos. Allan