Mail archive
alpine-devel

Re: [alpine-devel] RFC: disable mprotect or JIT on web browsers

From: Nathan Angelacos <nangel_at_nothome.org>
Date: Tue, 17 May 2011 07:38:18 -0700

On 05/17/2011 05:30 AM, Jeremy Thomerson wrote:
> I don't have a lot of say here, but you asked for comments, so here's mine:
> What's the advantage of turning Alpine into a full desktop environment
> with Firefox, etc? The tagline for Alpine is "A *security-oriented*,
> lightweight Linux distribution ..."
> I'd be concerned about going against that (disabling a security feature)
> just to enable web browsing on a distro that is intended as a hardened
> server distro.
> Jeremy Thomerson

+1


> On Tue, May 17, 2011 at 5:25 AM, Natanael Copa <ncopa_at_alpinelinux.org
> <mailto:ncopa_at_alpinelinux.org>> wrote:
>
> Hi,
>
> Modern browsers uses just-in-time (JIT) compilers to gain maximum
> performance of the javascripts. This requires that the application can
> allocate memory where it can both write to it and then execute it. This
> is not allowed with our Grsecurity kernel for security reasons.
>
> So currently, midori has mprotect disabled and it looks like we might
> need to do the same with firefox. Alternatively we will need to patch
> webkit and xulrunner to disable jit.
>
> So this is a trade off.
>
> I am slightly towards prioritize security. (I think fedora does so for
> webkit too btw)
>
> What do you prefer? JIT speed or MPROTECT security for our browsers?
>
> -nc
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> <mailto:alpine-devel%2Bunsubscribe_at_lists.alpinelinux.org>
> Help: alpine-devel+help_at_lists.alpinelinux.org
> <mailto:alpine-devel%2Bhelp_at_lists.alpinelinux.org>
> ---
>
>



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue May 17 2011 - 07:38:18 UTC