Page 1 of 1

Downsides to a grsec install script?

PostPosted: Thu Sep 18, 2014 1:19 pm
by dmix
I'm interested in helping expand the adoption of GRSecurity. Install scripts would make it much easier. But are there some obvious downsides to scripts or packages? I assume security and trust is the biggest concern.

I came across this for Debian:

And Arch has popular packages:

I have a personal preference towards Fedora and I was thinking of either creating one for that distro. Maybe I should stick to writing blog post tutorials for manual builds?

Re: Downsides to a grsec install script?

PostPosted: Fri Sep 19, 2014 2:42 am
by strcat
I think the best thing you could do is maintain a source package for the distribution based on their vanilla kernel package and create a list of PaX exceptions. Making a binary package available is worthwhile, but third party binary packages are a bit sketchy unless you've built a good reputation in the community.

By the way, Arch Linux has an official grsecurity package in addition to that LTS one in the AUR: ... nux-grsec/

The downside to a binary package is missing out on the RANDSTRUCT and HIDESYM features. However, binary packages mean more users, and those users will improve the experience for everyone by finding bugs like SIZE_OVERFLOW false positives. Many people aren't interested in compiling a custom kernel, especially on old / embedded / mobile hardware.

Arch makes it easy to build a custom version of an official package so it's strictly better than not having one. The binary package makes it very easy to try out grsecurity and then the underlying source package makes it trivial to build a custom kernel that's properly integrated into the distribution. The same thing will apply to the NixOS grsecurity implementation, but I don't think they're at the point where there's a binary package.

It would be awesome if there were official packages for more distributions, but there's a lot of politics involved. It only ended up in the Arch repositories because I'm stubborn and went ahead with adding it despite it being a very contentious issue.

Re: Downsides to a grsec install script?

PostPosted: Wed Oct 01, 2014 12:00 pm
by timbgo
dmix wrote:I came across this for Debian:

And Arch has popular packages:

Pls. see references to some of the pages above here:

will be learning from you #6 ... r/issues/6

and here:
Grsecurity/Pax installation on Debian GNU/Linux ... 93#p555093

Thanks everybody for contributing to grsecurity, even with spreading the word, which is not the least important of ways considering all the forces against FOSS today,

Miroslav Rovis
Zagreb, Croatia