Announcing security hardened kernels for testing

John Richard Moser nigelenki at comcast.net
Fri Jan 7 12:07:24 CST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



John Richard Moser wrote:
|
|
| Matt Zimmerman wrote:
| | On Tue, Jan 04, 2005 at 04:27:44PM +0000, Mike Hearn wrote:
| |
| |
| |>On Tue, 04 Jan 2005 16:16:55 +0100, Martin Pitt wrote:

[...]

| |>Why was PaX chosen over exec-shield? The Linux community has much
greater
| |>experience with this set of patches than PaX, I know we
| |>already dealt with some of the fallout of that in the Wine project.
| |
|
| (pay attention to the comments at the end about the age and development
| status of PaX and ES)
|

I should have been more clear here.  I wasn't talking about the
community's experience, but counterarguing with the technical merit of
PaX over ES based on the developer's experience.  The community can
adjust to PaX easily; but the software won't magically adjust to be
better just because the community uses it.

For a counterargument based on the community, I should point out that I
have been using PaX, and have located a lot of the incompatibilities on
x86.  The Hardened Gentoo and Adamantix projects also have been using
PaX.  The Hardened Debian team picked PaX when they started.  GrSecurity
is based around PaX.  YOU may not have experience with it, but you've
got a lot of help if you know where to look.  The community will adjust,
and they'll adjust quickly.

[...]

| [1] is a detailed explaination of PaX; [2] has a comparison of
| technologies.  [3] is skeletal and needs more data.  It's notable that
| PaX is from October, 2000, and still actively maintained; while ES and
| W^X both are from May, 2003, and are still actively maintained.  PaX
| therefore has seniority.  The PaX developer, unlike Ingo Molnar, is also
| more of a security guy than a random kernel hack guy; Ingo is good at
| making new preemption schemes and schedulers, and should probably focus
| more on that.
|

[...]
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB3s/ZhDd4aOud5P8RAoUYAJ0RM5pQBv8SZCjhySHUqIPYcmavOgCgioAT
L8cNaoxJAT1d3ewFcFNaSXY=
=y3Au
-----END PGP SIGNATURE-----

More information about the ubuntu-devel mailing list