[email protected]
[Top] [All Lists]

Re: Announcing security hardened kernels for testing

Subject: Re: Announcing security hardened kernels for testing
From: John Richard Moser
Date: Fri, 07 Jan 2005 13:07:24 -0500
Hash: SHA1

John Richard Moser wrote:
| Matt Zimmerman wrote:
| | On Tue, Jan 04, 2005 at 04:27:44PM +0000, Mike Hearn wrote:
| |
| |
| |>On Tue, 04 Jan 2005 16:16:55 +0100, Martin Pitt wrote:


| |>Why was PaX chosen over exec-shield? The Linux community has much
| |>experience with this set of patches than PaX, I know we
| |>already dealt with some of the fallout of that in the Wine project.
| |
| (pay attention to the comments at the end about the age and development
| status of PaX and ES)

I should have been more clear here.  I wasn't talking about the
community's experience, but counterarguing with the technical merit of
PaX over ES based on the developer's experience.  The community can
adjust to PaX easily; but the software won't magically adjust to be
better just because the community uses it.

For a counterargument based on the community, I should point out that I
have been using PaX, and have located a lot of the incompatibilities on
x86.  The Hardened Gentoo and Adamantix projects also have been using
PaX.  The Hardened Debian team picked PaX when they started.  GrSecurity
is based around PaX.  YOU may not have experience with it, but you've
got a lot of help if you know where to look.  The community will adjust,
and they'll adjust quickly.


| [1] is a detailed explaination of PaX; [2] has a comparison of
| technologies.  [3] is skeletal and needs more data.  It's notable that
| PaX is from October, 2000, and still actively maintained; while ES and
| W^X both are from May, 2003, and are still actively maintained.  PaX
| therefore has seniority.  The PaX developer, unlike Ingo Molnar, is also
| more of a security guy than a random kernel hack guy; Ingo is good at
| making new preemption schemes and schedulers, and should probably focus
| more on that.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


ubuntu-devel mailing list
[email protected]

<Prev in Thread] Current Thread [Next in Thread>