Re: Support Grsecurity/PaX

Home Messages Hashtags Subgroups

#20

Re: Support Grsecurity/PaX

Dan Kohn <dan@...> #20 Thanks for the comment. Has anything significant changed since 2009? https://lwn.net/Articles/313621/ If members of the PAX team would like to apply for a grant to break up their work and work with upstream to get it included in mainline Linux, CII would be happy to consider it. https://www.coreinfrastructure.org/contact -- Dan Kohn <mailto:dan@dankohn.com> tel:+1-415-233-1000 toggle quoted messageShow quoted text On Wed, Aug 19, 2015 at 9:12 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote: Dear Core Infrastructure Initiative: I do consulting for several different security companies. The uniform advice across the industry is: if you want to deploy Linux securely, be sure to be using a Grsecurity/PaX kernel. This advice is given time after time in reports authored by several security companies for whom I consult. And companies who take their security seriously wind up using Grsecurity/PaX. This isn't just security-scare-speak rattling the saber; this is pretty much essential and true. As somebody who works day in day out developing exploits and finding vulnerability, I can tell you that Grsecurity/PaX makes my work considerably more difficult. The defenses Grsecurity/PaX offers are real, and are useful. They're doing important work, and as a whole they're moving everybody forward. Simply put, anybody serious about security uses a Grsecurity/PaX kernel. Yet, as far as I can see, the developers (CC'd) receive basically no funding, and since the source they release is GPL, the thousands of companies who deploy Grsecurity/PaX are not compelled to give any financial support. As such, the financial situation of the developers is in nearly constant peril, and this core Linux project lives under a consistent existential threat. Were it not for Grsecurity/PaX, I would probably not be using the Linux kernel in my mission critical infrastructure, in favor of some flavor of BSD that's copied Grsecurity/PaX's techniques. Or simply in favor of a smaller, less performant, more minimal BSD kernel, that would be a big hassle, but would have a smaller attack surface. However, since there is Grsecurity/PaX, I feel a bit more comfortable deploying Linux. And I think many in the security industry feel the same. So, Core Infrastructure Initiative - please - consider supporting them. I'm not affiliated with them in anyway, but in stumbling across CII, and reviewing what CII is up to, it struck me that there's currently a glaring omission in supported projects. Grsecurity/PaX ought to be at the top of the list. Thank you, Jason Donenfeld _______________________________________________ cii-census mailing list cii-census@lists.coreinfrastructure.org https://lists.coreinfrastructure.org/mailman/listinfo/cii-census
More

View All 18 Messages In Topic

#20

Join cii-census@lists.coreinfrastructure.org to automatically receive all group messages.

Home Messages Hashtags Subgroups Terms