Usually I'm ahead of the hardened-dev-sources. With the most recent grsecurity patch, I was testing it on my custom 2.6.10 sources the day it came out. The updated hardened-dev-sources came out days later. That's still very good, and more than adequate for most people, but when it comes to security, if I can do it sooner, I do.
I also have not been entirely satisfied with the documentation of many patched sources. For some sources there is a web page that tells what patches were applied, but I have had a very difficult time finding those pages on occasion, and they are often not kept up to date. I don't know why the patch list is not linked from the kernel-guide documentation. The general response I have gotten is to look at the changelog. That's not sufficient. The changelog is chronological, and it doesn't make sense to have to look through a huge list of changes over several months or years, to see what patches are in the current kernel. Also, they do not necessarily list things like the specific version of a patch. I've often seen something like "updated for 2.6.10", in the changelog. That doesn't tell me anything about what was actually done. When security is a concern, I think the utmost transparency is required, and that's often not the case with the patched sources I have seen.
Additionally, hardened-dev-sources, pretty much only has security patches and nothing more. If there are numerous patches I need in addition to those, I'd rather just start from scratch.
Although I think general patches like grsecurity, should be part of the kernel security sub-project, what I really meant as far as a central repository for security patches, is stuff like the smbfs security fix that was released a while back. Every vendor had patched kernels very quickly, and many gentoo supported sources had it quickly, but to me, if I had just been able to emerge the patch and apply it myself, it would have been much quicker. When you are talking about numerous patches, not just one, that becomes more of an issue.
What you mention in the last paragraph is pretty much what I'm looking for, having the patches there and being able to choose which ones go into the kernel I build. It should take less time to get a new patch up than it does to incorporate it into a kernel, and then it can be left up to the user to get it in if they can do it sooner. I think the idea of being able to build the kernel with the exact patches you want, fits in very well with the whole Gentoo philosophy, and would be preferred to having to just download the vanilla sources and spend a great deal of time searching for all the various patches one wants to apply.
Vern
-----Original Message-----
From: Philip Ludlam [mailto:nospam@philipnet.com]
Sent: Sun 1/16/2005 2:35 PM
To: gentoo-security@lists.gentoo.org
Cc:
Subject: RE: [gentoo-security] Security Project goals for 2005
On 16 Jan, in message <F62740B0EFCFC74AA6DCF52CD746242D010337CA@iu-mssg-mbx05.exchange.iu.edu>
"Wilkins, Vern" <vwilkins@indiana.edu> wrote:
>How about a central repository for kernel security patches? For the utmost security, I always build my own kernel sources, but it's a lot of work having to go to so many sites collecting the various patches.
Isn't this covered by the hardened gentoo stuff?
I think the aim of the kernel security subproject was to limit it to
kernel security fixes, rather than also incorporate the other kernel
patches that can also be included.
As I see it, it would be nice if there was a single (sub)project that
took the source code for the latest stable kenel (2.4.x) + any offical
fixes/patches for exploits + the slightly less official/options patches
for increased security/hardening and allowed the sys admin to build
their own kernel with their own options.
It may exist, but I last ran Gentoo last weekend (I'm experiementing
with various Linux distros and it's Debian Testing ATM), so I can't
tell.
Yours,
Phil L.
--
http://philipnet.com |
http://director.sf.net |
http://sms2003.com/philipnet/ --
gentoo-security@gentoo.org mailing list
-----Original Message-----
From: Philip Ludlam [mailto:nospam@philipnet.com]
Sent: Sun 1/16/2005 2:35 PM
To: gentoo-security@lists.gentoo.org
Cc:
Subject: RE: [gentoo-security] Security Project goals for 2005
On 16 Jan, in message <F62740B0EFCFC74AA6DCF52CD746242D010337CA@iu-mssg-mbx05.exchange.iu.edu>
"Wilkins, Vern" <vwilkins@indiana.edu> wrote:
>How about a central repository for kernel security patches? For the utmost security, I always build my own kernel sources, but it's a lot of work having to go to so many sites collecting the various patches.
Isn't this covered by the hardened gentoo stuff?
I think the aim of the kernel security subproject was to limit it to
kernel security fixes, rather than also incorporate the other kernel
patches that can also be included.
As I see it, it would be nice if there was a single (sub)project that
took the source code for the latest stable kenel (2.4.x) + any offical
fixes/patches for exploits + the slightly less official/options patches
for increased security/hardening and allowed the sys admin to build
their own kernel with their own options.
It may exist, but I last ran Gentoo last weekend (I'm experiementing
with various Linux distros and it's Debian Testing ATM), so I can't
tell.
Yours,
Phil L.
--
http://philipnet.com |
http://director.sf.net |
http://sms2003.com/philipnet/ --
gentoo-security@gentoo.org mailing list
--
gentoo-security@gentoo.org mailing list