[arch-dev-public] providing grsecurity in [community]

Tom Gundersen teg at jklm.no
Sat Apr 19 17:25:45 EDT 2014

On Sat, Apr 19, 2014 at 9:59 PM, Daniel Micay <danielmicay at gmail.com> wrote:
> Users have been asking for MAC to be provided in the repositories for a
> long time. At the moment, two bugs are open about it:
> https://bugs.archlinux.org/task/37578
> https://bugs.archlinux.org/task/39852
> Any of these reported bugs could simply be closed with the response that
> the grsecurity RBAC is provided in the repositories and there's  no one
> interested in maintaining another. I think that's a response most people
> would be satisfied with, but users aren't going to be very happy with an
> a WONTFIX simply saying Arch has no official support for any of this.

I would see this the other way around (which is one of the reasons I
don't think adding forks of the kernel is such a great idea). It would
be very nice if we could manage to support some more security features
in the main kernel, but asking people to use an alternative kernel if
they want security features seems wrong. Especially if it is used as
an excuse not to get things that are already upstream working with the
main kernel we provide.

If you were providing an alternative kernel temporarily as a
testing-ground for things that would eventually get integrated in our
main kernel, I'd be all for it. But the way I see it, everyone agrees
that grsec is never going upstream and that this is not something we
could ever integrate in the main kernel, so I think we should be very
careful about splitting efforts which could have otherwise benefited
the whole distro (such as support for AppArmor, TOMOYO, SELinux,

In short, work on grsec if you want, but please let's not use that as
an excuse to discourage people from working on similar features for
the main kernel.



More information about the arch-dev-public mailing list