[ubuntu-hardened] Re: Ubuntu Hardened work, implementation and deployment schema

Lorenzo Hernández García-Hierro lorenzo at gnu.org
Mon Mar 28 03:24:13 CST 2005

El dom, 27-03-2005 a las 14:16 -0500, John Richard Moser escribió:
> yes, but PaX is set on by default in Lorenzo's diagram.  I was
> suggesting PT_PAX_FLAGS to be default as well, as it's well tested to do
> nothing to a vanilla and to work with PaX.

s/PaX is/PaX and ExecShield are/

Which means, in short, we would go in the way that makes our maintenance
work better and easier.
It depends on the future of PaX.
It depends on the scope of mainline.
It depends on the work of the people going to work around it in the
future, who can't assess the risk of having something that can lead to
unexpected maintenance overhead and other undesired problems.

> Couldn't binutils emit both in the interim?  Also as I said before in
> another post, it may be more robust to patch vanilla and ES to use
> PT_PAX_FLAGS, as PT_PAX_FLAGS supports a wider range of options, some of
> which map well back to mainline NX code and ES.  I'd like to see
> everything maintained once; if it works in PaX, then ES and mainline
> should also work with it.

Then you should ask to the upstreams, I could take a look over it, but,
makes it worthy the effort needed to put it working with no overhead and
bullshit around?

Do you really think that maintainers want to mess with upstreams work?
They can submit changes and give something back, and not much more.

As I said before, and as it's reflected in the diagram, we could support
both but PT_GNU_STACK will be our default.

> duplication with chpax/paxctl?  It's called a "transitional phase" I
> believe, which would continue until the PT_PAX_FLAGS can make it to
> mainline binutils and everyone catches up.  As I said above, forming a
> good mapping between PT_PAX_FLAGS and PT_GNU_STACK for ES and Mainline
> and then eliminating PT_GNU_STACK would probably be the most robust
> solution.

PT_PAX_FLAGS in binutils mainline? Are you trying to mean that, really?
Eliminating PT_GNU_STACK?

What are we talking about all the time? The mainline itself.
What are you talking about most time? Mainline acceptance of arbitrary
changes themselves.

Isn't it clear? You must propose that to mainline, we can't assess the
risk of maintaining arbitrary solutions if we have similar ones in

You propose good things, but many of them in the wrong place.

Lorenzo Hernández García-Hierro <lorenzo at gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050328/9ce881db/attachment.pgp

More information about the ubuntu-hardened mailing list