Hlfs iso?

Robert Connolly cendres at videotron.ca
Wed Mar 10 07:27:11 PST 2004


On March 10, 2004 09:06 am, Dagmar d'Surreal wrote:
> On Mon, 2004-03-08 at 04:40, Robert Connolly wrote:
> > For
> > bootstrap and testing reasons we might want to build with all security
> > options enabled. This could use some discussion. Might also want to
> > include a Grsec patch in the iso, so its available if users prefer it to
> > PaX-standalone.
>
> If you can get all the build tools and the source tarballs onto media,
> go for it, but the majority of the real work you're not going to be able
> to script.

Others have been developing this kind of stuff (rbac,aslr,pie) for several 
years. In general none of them use it to its full potential out of the box 
because it has taken this much time to mature. XFree86 apps don't work very 
well with pax, so security options are disabled for these applications by 
most vendors. For our purposes I felt it was better to break xfree86 support 
(for now) and keep security options enforced globaly without exceptions for 
wild apps. The only condition is the system needs to be able to rebuild 
itself. It should be able to do it, with all the testsuites passing, to show 
our base source is stable with the kernel security turned on. The point is, 
you need a trusted system to build a trusted system, and you shouldn't need 
to disable security in order to build or upgrade (if you do it should be 
intentional not indirectly).



More information about the hlfs-dev mailing list