[grsec] grsec patch for 2.6.15?
Carlos Carvalho
carlos at fisica.ufpr.br
Mon Jan 9 18:38:14 EST 2006
Dan Hollis (reg5423374856 at anime.net) wrote on 9 January 2006 12:17:
>On Mon, 9 Jan 2006, pageexec at freemail.hu wrote:
>> On 9 Jan 2006 at 12:57, Carlos Carvalho wrote:
>>> Is there an expected release date for the 2.6.15 version? I tried to
>>> use the latest one from ~spender but there are too many rejects that I
>>> don't know how to fix...
>> most likely i'll skip .15.
>>> 2.6.15 contains numerous fixes and enhancements for server features
>>> that make it worth upgrading. It'll be my first try on a critical
>>> server that's running 2.4.32.
>> what i said about 2.6 security a while ago still applies, all the more
>> as it proved true time and again.
>> http://forums.grsecurity.net/viewtopic.php?t=968
>
>Unfortunately 2.4.x doesn't support my hardware at all, so 2.4 is no
>choice.
>
>This attitude toward kernel security is very curious; if your assertion is
>true than surely 2.6 is needing pax more than anything. So the choice to
>deliberately skip supporting it is strange.
>
>It's a tactic I might expect from microsoft or maybe theo de raadt, it's
>suprising to see it here.
I think he means that grsec is not a cure for everything, and that by
using a fast moving kernel you won't have security anyway. Therefore,
at first sight, it would be a waste of his effort to adapt pax to such
a kernel.
I agree that security is better with 2.4 but security is not the only
issue in running a machine. There's the hardware one, and also several
features that exist in 2.6 only such as journalled quotas and various
raid enhancements. Sometimes I choose to either do something well or
not do it; however sometimes I have to make a compromise. In this case
I'd like to use grsec combined with all the other security measures I
already have in place and try to have our server not freeze every damn
week, or at least have a diagnostic of the reason, which I could not
get with 2.4 in the last 6 months...
So I'd like to emphasize that running such a kernel is not always
carelessness or incompetence, and that the developers' time and effort
is indeed being given the value it deserves.
More information about the grsecurity
mailing list