Mail archive
alpine-devel

Re: [alpine-devel] RFC: disable mprotect or JIT on web browsers

From: Jeremy Thomerson <jeremy_at_thomersonfamily.com>
Date: Tue, 17 May 2011 08:30:24 -0400

I don't have a lot of say here, but you asked for comments, so here's mine:

What's the advantage of turning Alpine into a full desktop environment with
Firefox, etc? The tagline for Alpine is "A *security-oriented*, lightweight
Linux distribution ..."

I'd be concerned about going against that (disabling a security feature)
just to enable web browsing on a distro that is intended as a hardened
server distro.

Jeremy Thomerson
On Tue, May 17, 2011 at 5:25 AM, Natanael Copa <ncopa_at_alpinelinux.org>wrote:

> Hi,
>
> Modern browsers uses just-in-time (JIT) compilers to gain maximum
> performance of the javascripts. This requires that the application can
> allocate memory where it can both write to it and then execute it. This
> is not allowed with our Grsecurity kernel for security reasons.
>
> So currently, midori has mprotect disabled and it looks like we might
> need to do the same with firefox. Alternatively we will need to patch
> webkit and xulrunner to disable jit.
>
> So this is a trade off.
>
> I am slightly towards prioritize security. (I think fedora does so for
> webkit too btw)
>
> What do you prefer? JIT speed or MPROTECT security for our browsers?
>
> -nc
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>
>



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue May 17 2011 - 08:30:24 UTC