Re: Support Grsecurity/PaX

Dan Kohn <dan@...>

Thanks for the comment. Has anything significant changed since 2009?

If members of the PAX team would like to apply for a grant to break up
their work and work with upstream to get it included in mainline
Linux, CII would be happy to consider it.
Dan Kohn <mailto:dan@...>

On Wed, Aug 19, 2015 at 9:12 AM, Jason A. Donenfeld <Jason@...> wrote:
Dear Core Infrastructure Initiative:

I do consulting for several different security companies. The uniform advice
across the industry is: if you want to deploy Linux securely, be sure to be
using a Grsecurity/PaX kernel. This advice is given time after time in
reports authored by several security companies for whom I consult. And
companies who take their security seriously wind up using Grsecurity/PaX.
This isn't just security-scare-speak rattling the saber; this is pretty much
essential and true. As somebody who works day in day out developing exploits
and finding vulnerability, I can tell you that Grsecurity/PaX makes my work
considerably more difficult. The defenses Grsecurity/PaX offers are real,
and are useful. They're doing important work, and as a whole they're moving
everybody forward.

Simply put, anybody serious about security uses a Grsecurity/PaX kernel.

Yet, as far as I can see, the developers (CC'd) receive basically no
funding, and since the source they release is GPL, the thousands of
companies who deploy Grsecurity/PaX are not compelled to give any financial
support. As such, the financial situation of the developers is in nearly
constant peril, and this core Linux project lives under a consistent
existential threat.

Were it not for Grsecurity/PaX, I would probably not be using the Linux
kernel in my mission critical infrastructure, in favor of some flavor of BSD
that's copied Grsecurity/PaX's techniques. Or simply in favor of a smaller,
less performant, more minimal BSD kernel, that would be a big hassle, but
would have a smaller attack surface. However, since there is Grsecurity/PaX,
I feel a bit more comfortable deploying Linux. And I think many in the
security industry feel the same.

So, Core Infrastructure Initiative - please - consider supporting them. I'm
not affiliated with them in anyway, but in stumbling across CII, and
reviewing what CII is up to, it struck me that there's currently a glaring
omission in supported projects. Grsecurity/PaX ought to be at the top of the

Thank you,

Jason Donenfeld

cii-census mailing list

Join to automatically receive all group messages.