Re: [Tails-dev] grsec [Was: Upgrading the Linux kernel for 1…

Delete this message

Reply to this message
Autor: Jacob Appelbaum
Data:  
Dla: The Tails public development discussion list
Temat: Re: [Tails-dev] grsec [Was: Upgrading the Linux kernel for 1.0?]
On 4/5/14, intrigeri <intrigeri@???> wrote:
> Hi,
>
> Jacob Appelbaum wrote (05 Apr 2014 08:26:27 GMT) :
>>>     2. the Linux maintainers in Debian, and the stable release
>>>        manager, get an idea of how much critical paths are extended in
>>>        practice... and get confidence in the grsec team;

>
>> That is upstream isn't it? That is - the kernel team in Debian has
>> been working with upstream to ensure the two kernel trees are in sync,
>> right?
>
> No, I was rather speaking of the team that maintains the grsec-patched
> kernel (be it a flavour, something built from linux-source, or
> whatever) in Debian. It'll be clearer to you once you've read the bug,
> hopefully :)
>


Ok. I understand - well, I'll have to ask Spender if he is up for it.

>>>     3. users who want, or need, a hardened kernel -- of course! :)

>>>
>>>> I discussed this with another Debian developer and they felt that
>>>> a kernel flavor is the way to go.
>>>
>>> After quickly skimming over #605090 again, I doubt this will be
>>> acceptable without a strong team, that has proven they are able to be
>>> fast enough not to delay non-grsec kernel updates (too much).
>>>
>
>> I think we should ask Spender to join such a team. Also, I guess I'd
>> ask you too. :)
>
> I'm afraid I am not knowledgeable in maintaining (potentially
> conflicting) changes to the kernel source, but I'll gladly be
> a tester.
>


There would be a single patch to the kernel - that is the massive
grsec patch. Spender has done all of the other hard work. And for
years, I might add. We'll certainly need testing too.

>>>> How might we ship grsec + pax to end users? What would be useful here
>>>> for me to do? I'm happy to rebuild the kernel with the specific
>>>> patches but I'm sure that is far from enough... :)
>>>
>>> I'm afraid I don't get what you mean here.
>>>
>
>> I was thinking that we should come up with a todo list - for example -
>> to ship an experimental grsec kernel in the next version of tails (to
>> be selected by beta testers).
>
>> eg:
>
>> 0. create a .dsc that builds a kernel with stock grsec
>> 1. build it
>> 2. integrate it into tails by doing x, y, z
>
> I'd rather see progress on the Debian side of things first, but
> providing an experimental Tails ISO with this kernel would definitely
> be a great way to get feedback on whatever product the team that takes
> care of it in Debian creates :)


Sure, that can be a TODO list for Debian. I tend to think that
whatever package I make should be fitting for Debian but I'd also like
to test it in the place where I care about it working. I want it to
work for Debian at large but I want it to first work for Tails. If it
is good enough for Tails, it will be good enough for Debian. The
inverse is not always true...

All the best,
Jake