[arch-dev-public] providing grsecurity in [community]

[Allan McRae]

On 19/04/14 07:11, Tom Gundersen wrote:
> On Wed, Apr 16, 2014 at 6:09 AM, Daniel Micay <danielmicay at gmail.com> wrote:
>> There has been a recent surge of interest in securing Arch by paying
>> closer attention to CVEs and addressing many security issues in our
>> packages. I also started some initial work/documenting on securing the
>> services shipped in various packages:
>>
>> https://wiki.archlinux.org/index.php/DeveloperWiki:Service_isolation
> 
> I'm very happy that more people are now looking at security related
> things in Arch. Nice work!
> 
>> To go along with this, I'm interested in maintaining the grsecurity
>> kernel and userspace tools in [community] to provide a hardened kernel
>> and role-based access control system. This would be the first case of an
>> alternative kernel in the repositories, so I'm open to discussion about
>> whether it's appropriate to do this. There are also some issues relevant
>> to other packages in the repositories.
> 
> Hmm, grsec seems like a dead-end to me. It will never land upstream,
> and hence will never be in our standard kernel and our default
> packages will therefore never be integrated with it. So whatever work
> you do will have to live independently in perpetuity. At worst it
> would split our (very limited) development and QA resources.
> 
> Would it not make more sense to focus on some other security features
> that are actually upstream and which can then at least potentially be
> merged into our default packages eventually?
> 
> Maybe another option, if you really think grsec is the way to go,
> would be to simply create a new unofficial repository and put the
> packages there instead?

I'd say an unofficial repo is the way to go for the time being.
linux-grsec in the AUR only has 44 votes, so it is not screaming out for
inclusion in the repos.

Allan