[grsec] Kernel version tracking policy?
pageexec at freemail.hu
pageexec at freemail.hu
Fri Jul 20 09:16:25 EDT 2007
On 13 Jul 2007 at 0:43, Mike Perry wrote:
> Is there any strategy behind the current efforts to support particular
> kernel versions?
yes, there is a strategy, if you want to call it that ;-). it is
about minimizing the waste we have to spend on tracking the 'stable'
2.6 series (vs. developing new features). the fundamental question
to answer is about how often one should do a forward port in order
to track the changes in 2.6. my experience is that i'd be lost in
the woods pretty quickly if i skipped several versions in a row,
there's just that many core changes to code that PaX also patches
itself. not keeping up with them from release to release would result
in a disproportionally larger effort later to do a forward port. this
is not to say that the version by version tracking doesn't require
a lot of time already, but it's still less than the alternatives.
in short, the choice is between bad and worse ways of tracking 2.6,
the whole thing is fundamentally a waste but we have to live with it.
> I would think that most grsecurity users would want both security
> and stability on their production systems.
we said it before, but here it is again: don't use 2.6 in such cases
then. with or without grsecurity, it's the biggest security risk among
all linux versions. whenever you use 2.6, you already decided to trade
security for features/etc and discussion of which 2.6.x to track for
stability and security misses the point.
More information about the grsecurity
mailing list