Mailing List Archive

1 2  View All
Re: Technical repercussions of grsecurity removal [ In reply to ]
Hi!

On Fri, May 12, 2017 at 09:10:43PM +0200, "T?th Attila" wrote:
> Please take a look at on the reply of PaxTeam postend on the openwall
> mailing list:
> http://openwall.com/lists/kernel-hardening/2017/05/11/2

What's for? It's pointless. Only very few people are really interested
(i.e. not just curious) in knowing who is paid by which company for doing
what, who makes more real bugs, and who lies about something.

The important questions about how to keep current level of protection for
individual/small business users and how users of some distributions like
Gentoo/Ubuntu/Android can be protected with GrSec/PaX are still unanswered.

While large companies may buy subscription for GrSec/PaX the mentioned
above categories of users can't (correct me if I'm wrong, please) - so
effectively the change in GrSec policy makes harm and punish mostly these
categories of users. If that's real GrSec/PaX goal - it's very sad but
they probably have rights to do this (except their public reasoning
doesn't match what they actually do, so probably there are some unsaid
reasoning exists too), but if it's not their real goal - then they
probably should provide some options for these categories of users too.

--
WBR, Alex.
Re: Technical repercussions of grsecurity removal [ In reply to ]
On Fri, May 12, 2017, at 16:38, Alex Efros wrote:
> Hi!
>
> On Fri, May 12, 2017 at 09:10:43PM +0200, "Tóth Attila" wrote:
> > Please take a look at on the reply of PaxTeam postend on the openwall
> > mailing list:
> > http://openwall.com/lists/kernel-hardening/2017/05/11/2
>
> What's for? It's pointless. Only very few people are really interested
> (i.e. not just curious) in knowing who is paid by which company for doing
> what, who makes more real bugs, and who lies about something.
>
> The important questions about how to keep current level of protection for
> individual/small business users and how users of some distributions like
> Gentoo/Ubuntu/Android can be protected with GrSec/PaX are still
> unanswered.
>
> While large companies may buy subscription for GrSec/PaX the mentioned
> above categories of users can't (correct me if I'm wrong, please) - so
> effectively the change in GrSec policy makes harm and punish mostly these
> categories of users. If that's real GrSec/PaX goal - it's very sad but
> they probably have rights to do this (except their public reasoning
> doesn't match what they actually do, so probably there are some unsaid
> reasoning exists too), but if it's not their real goal - then they
> probably should provide some options for these categories of users too.
>
> --
> WBR, Alex.

Individuals can certainly request a quote -- I did -- their director of
sales is very patient, considerate and accommodating. Unfortunately the
price is quite a bit more than I can personally afford at present.


I don't personally doubt PaXteam/Spenders stated reasoning. It appears
they've encountered a quite aggravating situation with what may amount
to plagiarists. The post Dr. Toth linked closely mirrored what I
initially anticipated from observing kspp and the like from afar. I
think they're in a crap situation and what they've done is one of the
better of several bad options.


So, I am considering the costs of alternative control environments for
my personal systems, perhaps it will be worth the quoted price after all
once I've assessed options.

But, point being, if paying is not out of the question I think you
should request a quote.


--
0x7D964D3361142ACF

1 2  View All