Long post by the "PaX Team" (cache) on the kernel-hardening mailinglist.
I'm generally sympathetic towards PaX and grsecurity developers, who have been developing innovative mitigations against several classes of attacks on the Linux kernel and applications over a long time - and I've personally been using their work on my own machines for ages. But really, communication is not their thing. Ok, they're in excellent company in the open source world with that, but it really harms their cause.
(KSPP = Kernel Self Protection Project, sponsored by Google and the Linux Foundation, which tries to upstream select parts of the grsecurity patches into mainline Linux.)
I'm generally sympathetic towards PaX and grsecurity developers, who have been developing innovative mitigations against several classes of attacks on the Linux kernel and applications over a long time - and I've personally been using their work on my own machines for ages. But really, communication is not their thing. Ok, they're in excellent company in the open source world with that, but it really harms their cause.
PaX Team wrote:
Upstream's goal is protecting as many people as possible.
the KSPP's goal is to further the agenda of the companies behind
it (which is extracting profits for shareholders). that has nothing
to do with "protecting as many people as possible" but everything
to do with business goals du jour. if what you claim was true,
they would have done it since the beginning and in a way that is
not restricted to only linux users.
the KSPP's goal is to further the agenda of the companies behind
it (which is extracting profits for shareholders). that has nothing
to do with "protecting as many people as possible" but everything
to do with business goals du jour. if what you claim was true,
they would have done it since the beginning and in a way that is
not restricted to only linux users.
(KSPP = Kernel Self Protection Project, sponsored by Google and the Linux Foundation, which tries to upstream select parts of the grsecurity patches into mainline Linux.)
;){kind=link}