Hi Yves-Alexis and team. We (Whonix) were working on a hardened-kernel package that aimed to apply both changes from your and Anthraxx’s patchset to an upstream kernel in addition to disabling a variety of commonly unused config options to reduce attack surface (details of what we did documented here ). We reached the conclusion that it’s better to unite efforts and minimize NIH as much as possible to make this viable in the long-term and to spread its impact beyond our project as much as possible.
We’ve reached out to Debian’s Ben Hutchings about packaging the patches in Debian. His three conditions were:
- Its developers should be actively working to get those patches
- There must be at least someone within the kernel team who takes
responsibility for maintaining it.
- It should have regular verifiable releases. (Also, if it isn’t
updated for a new upstream version, we won’t wait for it but will
disable building it temporarily.)
Yves you seem to be doing all three and you’re already part of the Debian kernel security team so we were wondering if you please can work with them to provide an optional secure patchset/kernel there. I know that at least us and Tails will opt for it by default. TIA