[tor-talk] What's to be Done
Apple Apple
djjdjdjdjdjdjd32 at gmail.com
Mon Aug 24 16:26:58 UTC 2015
It's not a Debian specific problem. Even "Security Conscious" distros like
Fedora only build a dozen or so key packages with pic and ssp because of
performance concerns. Address sanatizor is obviously out of the question.
Then of course Linux does not have proper ASLR without 3rd party kernel
patches anyway making pie pretty pointless.
There is a good article out there on why rsbac does not use lsm, I
recommend you read it if you do not understand the current security vs
performance dynamic within Linux. You should also read up on the history of
Pax and ask why it is not in the mainline Linux tree.
For whoever asked about previous Debian specific attempts I suggest you
look into a project called mempo, now defunct of course.
Given what I've said above we return to my original point. No mainstream
distro, especially Debian, is willing to pay the cost (mostly performance)
for adding meaningful security. If your plan is to try to bulldoze all this
stuff into Debian testing, that's not going to work...
More information about the tor-talk
mailing list