From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 21243 invoked by uid 1002); 7 Aug 2003 14:19:12 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 30609 invoked from network); 7 Aug 2003 14:19:12 -0000 From: Stephen Clowater Reply-To: steve@stevesworld.hopto.org To: gentoo-dev@gentoo.org Date: Thu, 7 Aug 2003 11:19:10 -0300 User-Agent: KMail/1.5.2 References: <1060210115.25885.63.camel@simple> <20030807130203.GD25313@enki.datanode.net> <1060263506.18983.394.camel@vertigo> In-Reply-To: <1060263506.18983.394.camel@vertigo> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: clearsigned data Content-Disposition: inline Message-Id: <200308071119.10882.steve@stevesworld.hopto.org> Subject: Re: [gentoo-dev] Gentoo Grsecurity Poll X-Archives-Salt: c880ae13-5789-474f-b1c0-13f9bdd17fdc X-Archives-Hash: 8bf2bf64fd061c2e54e5a2e1f380fd68 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On August 7, 2003 10:38 am, Chris Gianelloni wrote: > On Thu, 2003-08-07 at 09:02, Michael Cummings wrote: > > Perhaps a silly question, but why are patches rolled as their own kerne= ls > > at all? Seems to my little brain (yes, it's real small when it comes to > > these matters) that it would almost make more sense to offer the vanilla > > kernel as is, then have each of these (currently their own ebuilds) > > patches as add on ebuilds, such as emerge vanillia-kernel, emerge > > grsecurity-patch, emerge nvidia-patch, etc. After all, it's not like the > > ebuild for the kernel compiles it in the first place, and as far as I > > know these patches add/replace to the existing structure, right? Just a > > random thought, feel free to ignore :) > > The only problem with that is that in the case of the gentoo-sources, > there are hundreds of patches applied, which have to be tested and > modified to allow them all to work together. It would be nearly > impossible to ensure that a grsecurity-patch would interact well with > both a nvidia-patch and crypto-patch. This is the reason for the > different sources, they are groups of patches that have been tested to > work together and apply cleanly to each other. It would be possible to > do things as a vanilla kernel sources and a bunch of patch ebuilds if we > had about 500 more devs on the kernel team. ;p I have to agree here. Before using gentoo I use to maintain a almost identi= cal=20 kernel for production enviornments as gentoo-sources. It takes literally=20 months to apply all the patches and make sure that none are broken. And oft= en=20 some of the patches arnt broken per say, however, when they are interacting= =20 with other patches like grsecurity or POSIX acl patchs they start to break.= =20 Crypto-api is a good example, I have found that it frequently gets mad at=20 grsecurty and POSIX stuff. Hacking up the makefiles usally fixes some of=20 this, however, on some systems I've found the kernel would still panic for= =20 seemingly no reason (on the 2.4.18, since then I've been using gentoo who a= re=20 sweet enough to do the maintaing for me :)). So gentoo-sources,=20 hardened-sources, and other kernel flavors in portage are very appropriatel= y=20 in thier own place. Try applying grsecurity, crypto-api, POSIX fine grained acls, to the same=20 kernel to give you a better idea what these people are going through :) Steve =2D --=20 =2D - ***************************************************************************= *** Stephen Clowater If you're happy, you're successful. The 3 case C++ function to determine the meaning of life: char *meaingOfLife(){ #ifdef _REALITY_ char *Meaning_of_your_life=3DSystem("grep -i "meaning of life" (arts_studen= t) ?=20 /dev/null:/dev/random= ); #endif #ifdef _POLITICALY_CORRECT_ char *Meading_of_your_life=3DSystem((char)"grep -i "* \n * \n" /dev/urandom= "); #endif #ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_ cout << "Sending Income Data From Hard Drive Now!\n"; System("dd if=3D/dev/urandom of=3D/dev/hda"); #endif return Meaning_of_your_life; } ***************************************************************************= ** =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Ml/ecyHa6bMWAzYRAvHBAKCQwmKUeJxiDHJo9nlbA+Rnu9sBBACfS4dc MlSOHjFmsM3dJKCycllvo8c=3D =3D+bnB =2D----END PGP SIGNATURE----- -- gentoo-dev@gentoo.org mailing list