[arch-dev-public] Consensus: DKMS modules

Daniel Micay danielmicay at gmail.com
Tue Mar 15 23:49:25 UTC 2016


> To me the issue is people pushing new kernels to the repos but not
> being
> able to provide the same level of support that we have for mainline.
> Offloading out-of-tree module rebuilds to end users instead of doing
> it
> ourselves is clearly not the right solution.
> 
> So I say: remove each non-mainline kernel of which the maintainer is
> unwilling to support the corresponding out-of-tree modules. After
> all,
> as Allan points out, rebuilding them is a simple script job...
> 
> Cheers.

In general, out-of-tree modules aren't compatible with linux-grsec. It
is not enough to simply rebuild them. It would require actively keeping
them compatible by maintaining patches for them and possibly working
with the upstreams for the out-of-tree modules for cases where bugs are
being uncovered rather than false positives / tweaks for compatibility.

Some out-of-tree modules aren't going to be compatible with the chosen
configuration at all, similar to how Xen support is disabled in favour
of having the hardening features marked as incompatible with it.

The NVIDIA driver and broadcom-wl need to be patched and and VirtualBox
is semi-incompatible with the chosen configuration. AFAIK, users would
need to rebuild the kernel with a couple options disabled for all the
VirtualBox features to work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20160315/8fb4cdbe/attachment.asc>


More information about the arch-dev-public mailing list