(sorry for top-posting, our message system doesn't believe anything else is possible) The funding for the fuzzing project is intentionally short-to-medium-term, with two goals: helping to learn the

Hi Dan, It'd be a tough work to break up the features of PaX/Grsec and push them into upstream, separately. The fact is vanilla kernel community don't care about mitigation. People who runs GNU/Linux

On 19 Aug 2015 at 13:37, Dan Kohn wrote: Hi Dan, > On Wed, Aug 19, 2015 at 11:32 AM, Jason A. Donenfeld <Jason@...> wrote: > > Of course there are worthwhile > > kernel projects that are not a

One last question for you: could you name other such projects (not necessarily security-related). Nearly every other out-of-mainline project I'm aware of has eventually either merged or died

Hopefully the Grsecurity/PaX developers are actually reading this thread and do consider applying! One last point, and then I'll fade away a little bit. There is a set of projects that are core

Jason, I do see your points, and the Grsecurity team is welcome to apply for funding whether they want to upstream their work as patches or keep it out-of-mainline. I am pointing out that

That's a nearly reasonable objection, but I think it's a bit narrow of a vision on how many open projects work. More generally, it's "how can a small but essential open source project be supported?"

On Wed, Aug 19, 2015 at 10:21 AM, Jason A. Donenfeld <Jason@...> wrote: Jason, if CII funded Grsecurity/PaX for a year or two, it would keep the project going, but then what? It is unlikely

Please do try to consider Grsecurity/PaX as not "just another out of tree patchset" but rather a mission critical project that serves a real world benefit in addition to pushing the bounds with the

CII follows the philosophy of Linux development that long-term, out-of-mainline patches are problematic because of the maintenance issues and lack of peer-review. Of course, the Grsecurity/PaX team

I believe there have been significant changes since 2009. I'll let the Grsecurity/PaX developers chime in on this, I guess. It's important to note, though, that it shouldn't be considered relevant

Thanks for the comment. Has anything significant changed since 2009? https://lwn.net/Articles/313621/ If members of the PAX team would like to apply for a grant to break up their work and work with

Dear Core Infrastructure Initiative: I do consulting for several different security companies. The uniform advice across the industry is: if you want to deploy Linux securely, be sure to be using a

We accepted issue#21 in the "develop" branch, which changes the scoring. See here for why and more detail: https://github.com/linuxfoundation/cii-census/issues/21 We'd like to push this branch to

FYI, I read about the Linux foundations's core infrastructure census project. Related to this, we analyzed networking related issues in Linux applications a few years back in

I've been lurking and watching the pull requests, and this set of updates certainly gets my vote, for what that's worth. From: dwheeler@... At: Jul 27 2015 16:18:56 To: cii-census@... Subject:

Sam and I have a minor update of the cii-census queued up in the "develop" branch. Below is a draft ChangeLog. I'd like to release the develop branch this Wednesday as the new "master" branch. I

Hello, I found the paper about possibly vulnerable and critical software very informative. The paper mostly focused on core, web and development software. However, I think the full list of

Thanks for bringing this to our attention. It's been forwarded to the CII Steering Committee for discussion. From: pabs3@... At: Jul 13 2015 13:43:19 To: cii-census@... Subject: Re:[cii-census]

Hi, The Trinity fuzzer is essential to ensuring the security and reliability of the Linux kernel. The author of it has just quit working on it. It would be great if LF could repair the damage done by