wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


devel:grsecurity

grsecurity

In IPFire 2.15 - Core Update 77, grsecurity has been added to the IPFire distribution and was again removed in IPFire 2.21 - Core Update 121/122. This was necessary because the patchset was no longer publicly available to use.

We, the IPFire developers, regret to have come to the conclusion that grsecurity is no longer available for us to use. It has been helpful to fight against various vulnerabilities in the past and we have been actively contributing to it wherever we could. Unfortunately, the grsecurity project has made the decision to no longer publicly disclose the patchset 1) for reasons that we neither understand or agree with.

We have made the decision to move away from grsecurity since we cannot provide our kernels with constant patches and a swift release schedule would have been at risk. Basing our kernel on a project that is not working in the open and putting their own financial gain over security is not acceptable for us and many other projects who's steps we are following2).

From a technical perspective, there is nobody who is benefiting from the whole situation. grsecurity was the best way to protect the kernel and userland from various exploits. Luckily, the mainline kernel developers have been working on adapting some features of grsecurity3) and we are able to keep some of those features enabled in the IPFire kernel as well.

However, work is not done, yet and we welcome every help to continue working on hardening the mainline Linux kernel better.

devel/grsecurity.txt · Last modified: 2018/07/31 15:13 by Michael Tremer