[dmix]

No one in that thread is recommending the Linux devs take the monolithic GRSecurity patches flat out. If you read the originally linked thread Daniel explains why it can't be accepted this way nor does he propose it should.

Rather attempts to submit it in smaller patches have been met with disinterest. As well as the fact security in general has the appearance of being sidelined by the core developers - which has created a large disincentive for developers interested in getting GRSecurity upstreamed from even trying (again).

[vacri]

I still really can't figure out how you characterised that particular post as 'snarky'. You complain of 'massive politics', but you're contributing to it with heavy mischaracterisations like that, turning an apologetic, helpful, and informative email into 'a snarky reply'.

[dmix]

A singular email example will always be missing a lot of context. Just because someones tone is nice and friendly doesn't mean there isn't a ton of subtext to what is being said. I'll give a few examples:

1. Saying that since no one has yet "paid for a team of people to do it" then it "must not be worth doing"

2. Sarcastically using info leak in quotes (see KASLR post in my original email for context on info leaks)

3. Repeatedly saying: if you discover a problem "I can help out with that" or "just let me know" when there is a long history of people doing exactly that and linux core devs including Greg K H largely ignoring them.

Etc, I could go on.

And this is all politics. I never said I was apolitical in the posts above. The whole reason people are saying it would take a team of people to submit patches is because politics.

[vacri]

Saying that since no one has yet "paid for a team of people to do it" then it "must not be worth doing"

Except that it's much less declarative than you're stating ('kind of implies' is pretty far from 'must'), and even has an emoticon added to indicate commiseration: "kind of implies that no one thinks it is worth doing :(". I agree that context can be missing, but at the same time, you shouldn't be significantly changing the visible context like that - you seem to be more about projecting your own issues rather than reading what's on the page when you do that.

[dmix]

Right, I should take exemplary lessons of politeness and politics from Greg and Linus.

[vacri]

Where did I imply that you should pattern yourself after someone else? I'm working from your own complaints and behaviour. You're projecting again.

A nicely ironic reply, though - if you do actually have problems with the way they behave, why invoke their behaviour to defend your own?

[dmix]

Well speaking of projections, I am not pointing to the lack of politeness, nor politics, as the problem in itself here.

I remarked on his snarkyness simply because it indicative of the problem: there has been a long history of dismissiveness during any discussion of upstreaming PaX/grsec-style mitigations. So considering it is not being taken seriously we will continue to enjoy the side-effects for the foreseeable future.

[rodgerd]

Well, I wouldn't take them off whoever posts under the PAXTeam account to LWN.

[nodata]

Maybe the grsec people should better communicate the advantage. I suggest taking each CVE and listing whether it would have been mitigated by running a grsec kernel, and compare it to something else (selinux or whatever)

[dmix]

If there is a kernel privilege escalation then SELinux can be disabled as Spender loves to demonstrate https://www.youtube.com/watch?v=WI0FXZUsLuI GRSec does includes it's own MAC system as an alternative to SELinux but that is only a small part.

PaX/grsec is in a different class of mitigation. I don't really know any competitors besides other implementations of small subsets by different operating systems or hardware manufacturers.

To your other point, I don't think anyone who has been following Linux security for any amount of time thinks that Spender or PaX are in need of proving themselves.

[nodata]

> To your other point, I don't think anyone who has been following Linux security for any amount of time thinks that Spender or PaX are in need of proving themselves.

No major distro carries the patch, and the kernel devs don't want to merge it as it is.

A change in tactics is needed - make it easier for everyone to see how much better things with grsec are. The tweets are good, a summary of those tweets would be better.

[pakled_engineer]

They do comment on most CVEs https://twitter.com/grsecurity/status/540632677914001409