[grsec] consider splitting grsecurity
spender at grsecurity.net
spender at grsecurity.net
Sun Nov 7 16:16:46 EST 2004
> I am poking on this issue again, because I began to look into grsec-2.x
> (yes, I have used and will use grsec-1.x until gradm2 won't fail on
> learning ;) and found too much discrepancy between pax and grsec (compared
> the latest cvs, where pax-2.4.27 is added).
> It would be easier to maintain and keep in sync.
>
> Why can't we "build" a community who makes development on grsec?
I've already said why I won't split up the patches, but I'll repeat the
reasons again:
1) grsecurity is not meant to be separated into multiple parts.
Splitting it up into multiple parts encourages improper usage. If the
reason is that you want to use SELinux or RSBAC, go ahead and use them.
Their fans claim that these are flexible systems that could do anything
grsec does, so clearly there is no reason for using grsec at all. Just
put SELinux and PaX together and your system will be secure. Promise.
2) I don't see any evidence to suggest that splitting them up will be
easier to maintain. Since all of the patches modify similar areas, it
looks in fact that I would have to supply 7 separate patches, for all
possible grsec combinations so that these patches could apply cleanly
and properly. In fact, in 2.6 I use the PaX patch directly and it
requires much more work to do that than it does to update based on diffs
from the pax tree in CVS.
3) You have the source, why are you asking me to do the work? Having me
do something that causes more maintainance with no real benefit doesn't
sound like a good way to 'build a community'.
-Brad
More information about the grsecurity
mailing list