Hi All,
2014-04-15 18:15 GMT+02:00 Thomas Goirand :
> On 04/15/2014 06:00 PM, Balint Reczey wrote:
>> Hi,
>>
...
>> My proposal for serving those security-focused users is introducing a
>> new architecture targeting amd64 hardware, but with more security
>> related C/C++ features turned on for eve
On Wed, Apr 23, 2014 at 05:02:03PM +0100, Ben Hutchings wrote:
> No, I meant that you might build a single binary package that would
> contain the grsec-patched source. That would encourage building custom
> kernels with build-time randomisation. I understand that's not the way
> you want to go.
On Wed, 2014-04-23 at 17:34 +0200, Yves-Alexis Perez wrote:
> On Wed, Apr 23, 2014 at 12:45:10PM +0100, Ben Hutchings wrote:
> > On Tue, 2014-04-22 at 22:41 +0200, Yves-Alexis Perez wrote:
[...]
> > The options I see are:
> > - Provide a source package based on src:linux that includes only the
> >
On Wed, Apr 23, 2014 at 12:45:10PM +0100, Ben Hutchings wrote:
> On Tue, 2014-04-22 at 22:41 +0200, Yves-Alexis Perez wrote:
> [...]
> > NOTE: I don't want to dismiss Mempo attempts, especially the
> > reproducible build part, and I also think it's valuable to provide our
> > users a grsec kernel a
On Tue, 2014-04-22 at 22:41 +0200, Yves-Alexis Perez wrote:
[...]
> NOTE: I don't want to dismiss Mempo attempts, especially the
> reproducible build part, and I also think it's valuable to provide our
> users a grsec kernel as part of the distribution, just that I prefered
> to go the featureset w
On Tue, Apr 22, 2014 at 08:30:01PM +0100, Ben Hutchings wrote:
> On Mon, 2014-04-21 at 05:28 +0200, Carlos Alberto Lopez Perez wrote:
> > On 17/04/14 00:23, Aaron Zauner wrote:
> > > Now shipping grsec is a really good idea. I'd like to see that as well.
> >
> > There has been an attempt to provid
On Mon, 2014-04-21 at 05:28 +0200, Carlos Alberto Lopez Perez wrote:
> On 17/04/14 00:23, Aaron Zauner wrote:
> > Now shipping grsec is a really good idea. I'd like to see that as well.
>
> There has been an attempt to provide an official grsec-flavour of the
> Debian kernel, but it didn't worked:
previously on this list Carlos Alberto Lopez Perez contributed:
> > Now shipping grsec is a really good idea. I'd like to see that as well.
>
> There has been an attempt to provide an official grsec-flavour of the
> Debian kernel, but it didn't worked:
>
> http://bugs.debian.org/cgi-bin/bugrep
On 17/04/14 00:23, Aaron Zauner wrote:
> Now shipping grsec is a really good idea. I'd like to see that as well.
There has been an attempt to provide an official grsec-flavour of the
Debian kernel, but it didn't worked:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090
For those interested
2014.04.20. 7:47, "Riku Voipio" ezt írta:
>
> On Sat, Apr 19, 2014 at 02
>
> On Sat, Apr 19, 2014 at 02:06:45PM +0200, Bálint Réczey wrote:
> > Hi Riku,
> >
> > 2014-04-19 13:26 GMT+02:00 Riku Voipio :
> > > On Tue, Apr 15, 2014 at 12:00:33PM +0200, Balint Reczey wrote:
> > >> Facing last week's H
On Sat, Apr 19, 2014 at 02:06:45PM +0200, Bálint Réczey wrote:
> Hi Riku,
>
> 2014-04-19 13:26 GMT+02:00 Riku Voipio :
> > On Tue, Apr 15, 2014 at 12:00:33PM +0200, Balint Reczey wrote:
> >> Facing last week's Heartbleed [1] bug the need for improving the
> >> security of our systems became more a
previously on this list Michael Tautschnig contributed:
> > Riding the Heartbleed publicity wave seems unwise, unless you can
> > propose a hardening flag that would have protected users from
> > Heartbleed. Else, Heartbleed merely serves on a example
> > how wallpapering problems over with "harde
On Sat, Apr 19, 2014 at 14:26:59 +0300, Riku Voipio wrote:
[...]
> Riding the Heartbleed publicity wave seems unwise, unless you can
> propose a hardening flag that would have protected users from
> Heartbleed. Else, Heartbleed merely serves on a example
> how wallpapering problems over with "harde
Hi Riku,
2014-04-19 13:26 GMT+02:00 Riku Voipio :
> On Tue, Apr 15, 2014 at 12:00:33PM +0200, Balint Reczey wrote:
>> Facing last week's Heartbleed [1] bug the need for improving the
>> security of our systems became more apparent than usually. In Debian
>> there are widely used methods for Harden
On Tue, Apr 15, 2014 at 12:00:33PM +0200, Balint Reczey wrote:
> Facing last week's Heartbleed [1] bug the need for improving the
> security of our systems became more apparent than usually. In Debian
> there are widely used methods for Hardening [2] packages at build time
> and guidelines [3] for
On Fri, 18 Apr 2014 14:57:41 +0200
Aaron Zauner wrote:
> > Usually the Linux kernel itself provides more than enough entropy. This
> > can (and probably should) be enhanced but should not be done in a
> > specific distribution.
I know there has been a little work on the kernel in this area, main
Hi,
On 18/04/2014 00:15, Kevin Chadwick wrote:
> OpenBSD employs randomisation all over and recently starting with the
> boot loader.
I do not object to use such techniques (randomisation for example) by
default. However, it must be easy to disable them.
Indeed: not all computers are are us
Hi Kevin,
Kevin Chadwick wrote:
>
> However I do believe Debian and Linux should be doing a lot more
> outside of grsec/pax/gentoo hardened. I could be wrong but I'm under the
> impression that Ubuntu is ahead (maybe just as more bleeding edge and
> PAE by default etc. though I am surprised they
previously on this list Aaron Zauner contributed:
I agree with MACs being questionable in that they are an extra
*FINAL* layer only really effective on simple systems where they
arguably aren't needed, can be circumvented by kernel exploits and
often MACs are used on systems despite the wide rangi
Hi Balint,
Bálint Réczey wrote:
> The upstream project I'm most involved in is Wireshark where we try to
> employ most of the state of the art techniques for improving code
> quality but I think the Wireshark project is in much better position
> than most other projects. Thanks to dedicated team a
Hi Steve,
2014-04-15 20:07 GMT+02:00 Steve Langasek :
> On Wed, Apr 16, 2014 at 12:15:22AM +0800, Thomas Goirand wrote:
>> > My proposal for serving those security-focused users is introducing a
>> > new architecture targeting amd64 hardware, but with more security
>> > related C/C++ features turn
Hi Aaron,
2014-04-16 13:49 GMT+02:00 Aaron Zauner :
> Hi Balint,
>
> Balint Reczey wrote:
>> Hi,
>>
>> I have posted the following idea on my blog [7] to get comments from
>> people not on this list, but obviously this is the mailing list where
>> the proposal should be discussed. :-)
> I generall
Hi Martin,
2014-04-16 14:53 GMT+02:00 Martin Wuertele :
> * Balint Reczey [2014-04-15 12:01]:
>
> (...)
>
>> My proposal for serving those security-focused users is introducing a
>> new architecture targeting amd64 hardware, but with more security
>> related C/C++ features turned on for every pac
* Balint Reczey [2014-04-15 12:01]:
(...)
> My proposal for serving those security-focused users is introducing a
> new architecture targeting amd64 hardware, but with more security
> related C/C++ features turned on for every package (currently hardening
> has to be enabled by the maintainers i
Hi Balint,
Balint Reczey wrote:
> Hi,
>
> I have posted the following idea on my blog [7] to get comments from
> people not on this list, but obviously this is the mailing list where
> the proposal should be discussed. :-)
I generally agree with your concerns. But I have to concur that
hardening
* Steve Langasek , 2014-04-15, 11:07:
But I don't imagine that you're going to get signoff on a dpkg
"amd64-secure" architecture,
"amd64-secure"? Why not "amd64-asbestos-free"?
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Tr
On Wed, Apr 16, 2014 at 12:15:22AM +0800, Thomas Goirand wrote:
> > My proposal for serving those security-focused users is introducing a
> > new architecture targeting amd64 hardware, but with more security
> > related C/C++ features turned on for every package (currently hardening
> > has to be e
On Tue, Apr 15, 2014 at 6:15 PM, Thomas Goirand wrote:
> On 04/15/2014 06:00 PM, Balint Reczey wrote:
>> Hi,
>>
>> I have posted the following idea on my blog [7] to get comments from
>> people not on this list, but obviously this is the mailing list where
>> the proposal should be discussed. :-)
On 04/15/2014 06:00 PM, Balint Reczey wrote:
> Hi,
>
> I have posted the following idea on my blog [7] to get comments from
> people not on this list, but obviously this is the mailing list where
> the proposal should be discussed. :-)
>
> -
>
> Facing last week's Heartbleed [1] bug the need
2014-04-15 14:23 GMT+02:00 Paul Wise :
> On Tue, Apr 15, 2014 at 8:15 PM, Christian Hofstaedtler wrote:
>
>> I think that as of today it would help more to fix various upstream
>> build tools to actually honor the build flags we (using
>> dpkg-buildflags) set. This would benefit both the regular
>>
On Tue, Apr 15, 2014 at 8:15 PM, Christian Hofstaedtler wrote:
> I think that as of today it would help more to fix various upstream
> build tools to actually honor the build flags we (using
> dpkg-buildflags) set. This would benefit both the regular
> architectures and any hypothetical hardened a
* Balint Reczey [140415 12:01]:
[..]
> My proposal for serving those security-focused users is introducing a
> new architecture targeting amd64 hardware, but with more security
> related C/C++ features turned on for every package (currently hardening
> has to be enabled by the maintainers in some
s://www.debian.org/doc/manuals/securing-debian-howto/ch-automatic-harden.en.html
[4]
https://wiki.debian.org/Hardening#Notes_on_Memory_Corruption_Mitigation_Methods
[5] http://popcon.debian.org/index.html
[6] https://wiki.debian.org/Multiarch
[7]
http://balintreczey.hu/blog/proposing-amd64-ha
33 matches
Mail list logo
