[arch-dev-public] providing grsecurity in [community]

Daniel Micay danielmicay at gmail.com
Sat Apr 19 14:57:19 EDT 2014

On 19/04/14 02:11 PM, Connor Behan wrote:
> On 19/04/14 12:28 AM, Daniel Micay wrote:
>> I've already spent far more time writing these mailing list responses
>> than any amount of work I've put into improving security-related
>> issues... speaking of development resources.
> Hah. I would just like to add that unofficial repositories are usually a
> dead end.
> 1. Maintainer adds kernel to his own repository and tries to advertise
> it in the forums.
> 2. Only 10 people install it.
> 3. Maintainer decides it's not worth the work and takes down the repo.
> With [community] there is a much higher probability that packages will
> be popular and maintained for awhile.

I'm already maintaining the userspace components (gradm, paxtest,
checksec) that weren't already there (pax-utils) in [community] since
there's no political issue attached to them.

They're only just barely useful without the kernel though, and it's not
going be obvious where to get the corresponding kernel, unless I step
out of the usual conventions and have the wiki page talk about an
unofficial repository.

You can check that an RBAC profile is valid, but not load it. You can
verify that the Linux kernel's ASLR implementation is still too weak to
pass the `paxtest` tests from the early 2000s, but can't enable
something better. Checking for RELRO / PIE / stack canaries is a bit
more useful at least...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140419/455e7dd1/attachment.asc>

More information about the arch-dev-public mailing list