Ubuntu Hardened work, implementation and deployment schema

Brandon Hale brandon at smarterits.com
Sun Mar 27 05:25:33 CST 2005


On Sat, 2005-03-26 at 23:18 -0500, John Richard Moser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> You have PaX by default, but not PT_PAX_FLAGS.  Perhaps that should be
> on by default too.  It's quite well tested in gentoo.

PaX by default at this point would be a maintainability nightmare. I'm
sure you'll recall the maintainence problems in Gentoo.  This will be
greatly worsened by the retirement of PageExec, and the Ubuntu kernel
team will surely not appreciate great delays and/or extra work for every
upstream release (and some security issues, you will recall binfmt_elf).
I've demoted PaX to Universe on our wiki page, but include PT_PAX_FLAGS
in Main.  This will still require a good discussion of the pros and cons
of PT_PAX_FLAGS over PT_GNU_STACK, which is currently less intrusive and
supported by ES and mainline NX code. Besides the binutils patch I can't
imagine any overhead added by simply supporting PT_PAX_FLAGS as well,
however.  If we begin marking packages at build/install time the
duplication will be apperant however.

PS, why did we make our own list and continue to CC -devel?
Let's stop this on the next thread please.

> Lorenzo Hernández García-Hierro wrote:
> > Hi,
> > 
> > I've made available the schema that explains how the Ubuntu Hardened
> > project is organized in terms of implementation, deployment and work.
> > 
> > It's a relation of the changes made or going to be made to both userland
> > and kernel level, the packages related with them, what they provide and
> > the priority or importance that they have.
> > 
> > It's currently available at
> > http://pearls.tuxedo-es.org/misc/ubuntu-hardened-schema.png
> > 
> > Comments appreciated ;)
> > 
> > Cheers,
> > 
> 
> - --
> All content of all messages exchanged herein are left in the
> Public Domain, unless otherwise explicitly stated.
> 
>     Creative brains are a valuable, limited resource. They shouldn't be
>     wasted on re-inventing the wheel when there are so many fascinating
>     new problems waiting out there.
>                                                  -- Eric Steven Raymond
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCRjQKhDd4aOud5P8RAsXaAJ4wTYGSEDhvZJfRC22xszUOqt9YmgCdEYvF
> j/SzaJIIwgL2xw0JtPslOrY=
> =VG/9
> -----END PGP SIGNATURE-----
> 



More information about the ubuntu-devel mailing list