Re: Support Grsecurity/PaX
PaX Team
On 19 Aug 2015 at 13:37, Dan Kohn wrote:
Hi Dan, On Wed, Aug 19, 2015 at 11:32 AM, Jason A. Donenfeld <Jason@...> wrote:Let's hope you only had bad luck and that's why you aren't aware ofOf course there are worthwhileOne last question for you: could you name other such projects (not any of these ;) http://lttng.org/download/ http://www.sysdig.org/wiki/how-to-install-sysdig-from-the-source-code/ http://open-mx.gforge.inria.fr/download/ http://knem.gforge.inria.fr/download/ http://download.savannah.gnu.org/releases/davfs2/ http://www.openafs.org/release/index.html http://www.asterisk.org/downloads/dahdi https://www.virtualbox.org/wiki/Downloads https://www.jetico.com/linux/installation.html http://zfsonlinux.org/ http://aufs.sourceforge.net/ http://cryptodev-linux.org/download.html http://loop-aes.sourceforge.net/loop-AES/ https://www.rsbac.org/download http://cdemu.org/about/vhba/ https://github.com/vmware/open-vm-tools http://scst.sourceforge.net/downloads.html http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/ As for the requirement of mainlining grsec, it's not possible since we know right off the start that some of the features and other changes are not acceptable at all (say, all the x86 segmentation based code). Second, for the potentially viable pieces this would be a multi-year full time job. Is the CII willing to fund projects at that level? If not we all would end up with lots of unfinished and partially broken features. Third, you're actually wrong as to what is needed for mainline acceptance, it's most definitely not enough to dump the code on them and let the community figure it all out and take care of it. If anything, the exact opposite is true, for any non-trivial amount of code there has to be a pledge for long-term maintenance from the submitters (so regardless where grsec stays, in-tree or out-of-tree, the maintenance burden would still be ours for some years at least, with corresponding need of funding). Fourth, you mentioned the potential futility of not funding grsec indefinitely. It begs the question why it is then worth doing the same for the fuzzing project or Frama-C. I hope noone at CII believes that a year or two of fuzzing and static analysis will exterminate all bugs so what happens after their funding runs out? Or are you suggesting that they can be funded indefinitely but for some reason grsec could not be? In any case, it is your money and decision at the end and we thank you for your attention at least. However it is also clear that we have a different understanding of what constitutes securing the core infrastructure. cheers, PaX Team
|
|