Re: [alpine-devel] RFC: disable mprotect or JIT on web browsers
On 05/17/2011 05:30 AM, Jeremy Thomerson wrote:
> I don't have a lot of say here, but you asked for comments, so here's mine:
> What's the advantage of turning Alpine into a full desktop environment
> with Firefox, etc? The tagline for Alpine is "A *security-oriented*,
> lightweight Linux distribution ..."
> I'd be concerned about going against that (disabling a security feature)
> just to enable web browsing on a distro that is intended as a hardened
> server distro.
> Jeremy Thomerson
> On Tue, May 17, 2011 at 5:25 AM, Natanael Copa <ncopa_at_alpinelinux.org
> <mailto:ncopa_at_alpinelinux.org>> wrote:
> Modern browsers uses just-in-time (JIT) compilers to gain maximum
> allocate memory where it can both write to it and then execute it. This
> is not allowed with our Grsecurity kernel for security reasons.
> So currently, midori has mprotect disabled and it looks like we might
> need to do the same with firefox. Alternatively we will need to patch
> webkit and xulrunner to disable jit.
> So this is a trade off.
> I am slightly towards prioritize security. (I think fedora does so for
> webkit too btw)
> What do you prefer? JIT speed or MPROTECT security for our browsers?
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
Received on Tue May 17 2011 - 07:38:18 UTC