X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from sp4.qcslink.com (sp4.qcslink.com [200.35.147.4]) by mail.alpinelinux.org (Postfix) with ESMTP id 85B6EBA4962 for ; Tue, 17 May 2011 07:53:15 +0000 (UTC) Received: from sp4.qcslink.com (localhost.localdomain [127.0.0.1]) by sp4.qcslink.com (Postfix) with ESMTP id 02D341A4A6; Tue, 17 May 2011 10:38:13 -0400 (EDT) Received: from [10.252.6.112] (c-67-188-63-60.hsd1.ca.comcast.net [67.188.63.60]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nangel@nothome.org) by sp4.qcslink.com (Postfix) with ESMTPSA id 1D94D1A460; Tue, 17 May 2011 10:38:11 -0400 (EDT) Message-ID: <4DD2885A.6010302@nothome.org> Date: Tue, 17 May 2011 07:38:18 -0700 From: Nathan Angelacos User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110402 Icedove/3.1.9 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] RFC: disable mprotect or JIT on web browsers References: <20110517112539.4f28cda2@ncopa-desktop.nor.wtbts.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP On 05/17/2011 05:30 AM, Jeremy Thomerson wrote: > I don't have a lot of say here, but you asked for comments, so here's mine: > What's the advantage of turning Alpine into a full desktop environment > with Firefox, etc? The tagline for Alpine is "A *security-oriented*, > lightweight Linux distribution ..." > I'd be concerned about going against that (disabling a security feature) > just to enable web browsing on a distro that is intended as a hardened > server distro. > Jeremy Thomerson +1 > On Tue, May 17, 2011 at 5:25 AM, Natanael Copa > wrote: > > Hi, > > Modern browsers uses just-in-time (JIT) compilers to gain maximum > performance of the javascripts. This requires that the application can > allocate memory where it can both write to it and then execute it. This > is not allowed with our Grsecurity kernel for security reasons. > > So currently, midori has mprotect disabled and it looks like we might > need to do the same with firefox. Alternatively we will need to patch > webkit and xulrunner to disable jit. > > So this is a trade off. > > I am slightly towards prioritize security. (I think fedora does so for > webkit too btw) > > What do you prefer? JIT speed or MPROTECT security for our browsers? > > -nc > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > > Help: alpine-devel+help@lists.alpinelinux.org > > --- > > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---