grsecurity forums

hi!

would it possible to provide smaller patches instead of the huge grsecurity-patch?
one for e.g: pax, grsec, rbac...

applying the entire patch to a non-vanilla kernel is really hard.
and sometimes it don't need pax or rbac.

thanks,
//richard

derRichard wrote:would it possible to provide smaller patches instead of the huge grsecurity-patch?
one for e.g: pax, grsec, rbac...

possible - yes, will it actually happen - no. the reasons are several, such as lack of developer time, motivation, complexity of the task (there're several cross-dependencies between features, it's not that easy to provide patches that you can cherry-pick, at least not without effectively maintaining branches).

applying the entire patch to a non-vanilla kernel is really hard.

applying it to a new vanilla kernel is hard enough as well

If you and spender ever change your minds, what about providing the patches with dependency lists, instead of trying to fully separate them? For instance, must have RBAC before PaX can be installed, but the user could stop after applying just RBAC. Though you'd still have to do some work to break up the pieces, that'd be easier than trying to have each subsystem selectable independently of any other.

On a related note, how many people are involved in the GRsecurity project - just spender and PaX team? Also, how many people are behind the alias PaX team?

afaik pax is independent of rbac. rbac is part of grsec. pax is something altogether different.