On 18/04/14 08:15 PM, Allan McRae wrote:
On 19/04/14 07:11, Tom Gundersen wrote:
On Wed, Apr 16, 2014 at 6:09 AM, Daniel Micay <danielmicay@gmail.com> wrote:
There has been a recent surge of interest in securing Arch by paying closer attention to CVEs and addressing many security issues in our packages. I also started some initial work/documenting on securing the services shipped in various packages:
https://wiki.archlinux.org/index.php/DeveloperWiki:Service_isolation
I'm very happy that more people are now looking at security related things in Arch. Nice work!
To go along with this, I'm interested in maintaining the grsecurity kernel and userspace tools in [community] to provide a hardened kernel and role-based access control system. This would be the first case of an alternative kernel in the repositories, so I'm open to discussion about whether it's appropriate to do this. There are also some issues relevant to other packages in the repositories.
Hmm, grsec seems like a dead-end to me. It will never land upstream, and hence will never be in our standard kernel and our default packages will therefore never be integrated with it. So whatever work you do will have to live independently in perpetuity. At worst it would split our (very limited) development and QA resources.
Would it not make more sense to focus on some other security features that are actually upstream and which can then at least potentially be merged into our default packages eventually?
Maybe another option, if you really think grsec is the way to go, would be to simply create a new unofficial repository and put the packages there instead?
I'd say an unofficial repo is the way to go for the time being. linux-grsec in the AUR only has 44 votes, so it is not screaming out for inclusion in the repos.
Allan
Users have been asking for MAC to be provided in the repositories for a long time. At the moment, two bugs are open about it: https://bugs.archlinux.org/task/37578 https://bugs.archlinux.org/task/39852 Any of these reported bugs could simply be closed with the response that the grsecurity RBAC is provided in the repositories and there's no one interested in maintaining another. I think that's a response most people would be satisfied with, but users aren't going to be very happy with an a WONTFIX simply saying Arch has no official support for any of this.