:: Re: [Dng] Hardened Devuan (was Re: …
Pàgina inicial
Aquest missatge és part del següent fil:
M-++\l'arbre de fils complet ordenat per data
M.MMMAdam Borowski en <-
M\MNeo Futur en ->
Delete this message
Reply to this message
Autor: Neo Futur
Data:  
A: Adam Borowski
CC: dng@lists.dyne.org
Assumpte: Re: [Dng] Hardened Devuan (was Re: Plan for Devuan to use Mozilla products as is)
at the beginning we plan :

* to use only the pax options of the grsec kernel, no rbac enabled
* to work on vanilla sources or gentoo hardened sources
* no debian patches, no exotic patches
* shipping the kernel with warnings that, as a default, java wont work
with a secure kernel, and possibly any other graphical applications
doing dirty stuff with memory ( buffer overflow, relocations and much
more )

as soon as we have a devuan beta version we feel confident enough to
install on at least one dedicated server ( something like dell r210 )
and on a laptop ( something like a thinkpad ), we ll start packaging a
grsec patched kernel.


speaking of installing on a dedicated server, do we have plans to
provide some kind of easy install system to install on a server from a
rescue mode ? ( not everyone have full kvm access to install
graphically, many datacenters provide only the rescue mode )



On Fri, Mar 6, 2015 at 6:27 PM, Adam Borowski <kilobyte@???> wrote:
> On Fri, Mar 06, 2015 at 03:19:29PM -0300, hellekin wrote:
>> *** I'm so happy to see this group. I've been using this kernel lately,
>> running on Parabola:
>>
>> 3.14.34-gnu-201502271838-1-lts-grsec-knock
>>
>> GRSecurity, and Knock support. Knock is a kernel patch that enables
>> single packet port knocking [0], thwarting common scanning attacks. I
>> would love to see this running on Devuan. Parabola GNU/Linux was the
>> first distro to deploy it, and I've been using it happily with SSH.
>
> It looks like Knock breaks everything TCP SQN is used for, including even
> such basics as packet retransmission/duplication detection. I've read the
> LKML discussion to see if I'm missing something, but apparently, I don't.
>
> As such, I'd say Knock has no place on a distribution kernel.
>
> --
> // If you believe in so-called "intellectual property", please immediately
> // cease using counterfeit alphabets. Instead, contact the nearest temple
> // of Amon, whose priests will provide you with scribal services for all
> // your writing needs, for Reasonable and Non-Discriminatory prices.
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Aquest missatge es va enviar a les següents llistes de correu:
dng
Informació sobre la llista de correu | Missatges propers		<-Re: [Dng] Hardened Devuan (was Re: Plan for Devuan to use Mozilla products as is)[Dng] apt repository - mirrors->

Donate to Dyne.org

dyne.org open discussions
administrat per dyne.org hackers		Lurker (versió 2.3)