Linus Torvalds on grsecurity
In the recent message regarding larger stack gap Linus wrote:
On Thu, Jun 22, 2017 at 8:10 PM, Andy Lutomirski wrote:
> Has anyone checked how grsecurity deals with this? I think they have
> a large stack guard gap.
Don't bother with grsecurity.
Their approach has always been "we don't care if we break anything,
we'll just claim it's because we're extra secure".
The thing is a joke, and they are clowns. When they started talking
about people taking advantage of them, I stopped trying to be polite
about their bullshit.
Their patches are pure garbage.
Linus
Whatever they said about "people taking advantage" or did to get paid for their patches, this tells nothing about quality of their patches, and I don't see any constructive criticism from the Father of Linux here either.
If they hadn't cared about breaking things like Linus says, there wouldn't be any configurable PAX_/GRSEC_ kernel options, sysctl entries or tools like chpax, paxctl and xattr support in Grsecurity.
Linux wasn't designed to be immune against modern threats/exploits from the start and it has a lot of software written to work in the old security model, so the process of improving this situation is foredoomed to break something here or there. And the guy who is responsible for improvements has to know better than just insulting or calling his opponents' work bullshit.
On Thu, Jun 22, 2017 at 8:10 PM, Andy Lutomirski wrote:
> Has anyone checked how grsecurity deals with this? I think they have
> a large stack guard gap.
Don't bother with grsecurity.
Their approach has always been "we don't care if we break anything,
we'll just claim it's because we're extra secure".
The thing is a joke, and they are clowns. When they started talking
about people taking advantage of them, I stopped trying to be polite
about their bullshit.
Their patches are pure garbage.
Linus
Whatever they said about "people taking advantage" or did to get paid for their patches, this tells nothing about quality of their patches, and I don't see any constructive criticism from the Father of Linux here either.
If they hadn't cared about breaking things like Linus says, there wouldn't be any configurable PAX_/GRSEC_ kernel options, sysctl entries or tools like chpax, paxctl and xattr support in Grsecurity.
Linux wasn't designed to be immune against modern threats/exploits from the start and it has a lot of software written to work in the old security model, so the process of improving this situation is foredoomed to break something here or there. And the guy who is responsible for improvements has to know better than just insulting or calling his opponents' work bullshit.