X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from jeremythomerson.com (mail.jeremythomerson.com [74.117.189.38]) by mail.alpinelinux.org (Postfix) with ESMTP id 1F8D4BA3F90 for ; Tue, 17 May 2011 05:45:53 +0000 (UTC) Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by jeremythomerson.com (Postfix) with ESMTP id 1A8F11C579 for ; Tue, 17 May 2011 07:40:12 -0500 (CDT) Received: by wwa36 with SMTP id 36so407834wwa.25 for ; Tue, 17 May 2011 05:30:44 -0700 (PDT) Received: by 10.216.235.157 with SMTP id u29mr3246716weq.24.1305635444156; Tue, 17 May 2011 05:30:44 -0700 (PDT) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Reply-To: jeremy@thomersonfamily.com Received: by 10.216.161.149 with HTTP; Tue, 17 May 2011 05:30:24 -0700 (PDT) In-Reply-To: <20110517112539.4f28cda2@ncopa-desktop.nor.wtbts.net> References: <20110517112539.4f28cda2@ncopa-desktop.nor.wtbts.net> From: Jeremy Thomerson Date: Tue, 17 May 2011 08:30:24 -0400 Message-ID: Subject: Re: [alpine-devel] RFC: disable mprotect or JIT on web browsers To: Natanael Copa Cc: alpine-devel@lists.alpinelinux.org Content-Type: multipart/alternative; boundary=000e0cd4d84edaec1b04a377f006 --000e0cd4d84edaec1b04a377f006 Content-Type: text/plain; charset=ISO-8859-1 I don't have a lot of say here, but you asked for comments, so here's mine: What's the advantage of turning Alpine into a full desktop environment with Firefox, etc? The tagline for Alpine is "A *security-oriented*, lightweight Linux distribution ..." I'd be concerned about going against that (disabling a security feature) just to enable web browsing on a distro that is intended as a hardened server distro. Jeremy Thomerson On Tue, May 17, 2011 at 5:25 AM, Natanael Copa wrote: > Hi, > > Modern browsers uses just-in-time (JIT) compilers to gain maximum > performance of the javascripts. This requires that the application can > allocate memory where it can both write to it and then execute it. This > is not allowed with our Grsecurity kernel for security reasons. > > So currently, midori has mprotect disabled and it looks like we might > need to do the same with firefox. Alternatively we will need to patch > webkit and xulrunner to disable jit. > > So this is a trade off. > > I am slightly towards prioritize security. (I think fedora does so for > webkit too btw) > > What do you prefer? JIT speed or MPROTECT security for our browsers? > > -nc > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > > --000e0cd4d84edaec1b04a377f006 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I don't have a lot of say here, but you asked for comments, so her= e's mine:
=A0
What's the advantage of turning Alpine into a full desktop environ= ment with Firefox, etc?=A0 The tagline for Alpine is "A *security-orie= nted*, lightweight Linux distribution ..."
=A0
I'd be concerned about going against that (disabling a security fe= ature) just to enable web browsing on a distro that is intended as a harden= ed server distro.
=A0
Jeremy Thomerson
On Tue, May 17, 2011 at 5:25 AM, Natanael Copa <= span dir=3D"ltr"><ncopa@alpinel= inux.org> wrote:
Hi,

Modern browsers uses = just-in-time (JIT) compilers to gain maximum
performance of the javascri= pts. This requires that the application can
allocate memory where it can both write to it and then execute it. This
= is not allowed with our Grsecurity kernel for security reasons.

So c= urrently, midori has mprotect disabled and it looks like we might
need t= o do the same with firefox. Alternatively we will need to patch
webkit and xulrunner to disable jit.

So this is a trade off.

= I am slightly towards prioritize security. (I think fedora does so for
w= ebkit too btw)

What do you prefer? JIT speed or MPROTECT security fo= r our browsers?

-nc


---
Unsubscribe: =A0alpine-devel+unsubscribe@lists.alpinelin= ux.org
Help: =A0 =A0 =A0 =A0 alpine-devel+help@lists.alpinelinux.org
---


--000e0cd4d84edaec1b04a377f006-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---