linux-patch-grsecurity2 for Debian
-----------------------------------

The grsecurity2 2.4.x and newer 2.6.y patches will *not* apply to Debian
kernels. If you want to build a grsecurity-enabled kernel, you should use a
vanilla kernel source tree from one of the kernel.org mirrors.

This is not my fault.

Initially, Debian kernels would differ from vanilla kernels mainly because of
some things that *had* to be fixed. I understand that.

Nowadays, Debian 2.4.x kernels feature backports from 2.5 and various other
"goodies". I don't approve of that.

If I install kernel-source-2.4.26, I want the 2.4.26 kernel source, I don't
want the 2.4.26 kernel source with 2.5's IPsec stack patched in and hundreds
of little "fixes". I understand that the kernel maintainer(s) put a lot of
work into this process, and I don't doubt the quality they produce. But
I think there is a reason why 2.5 is dubbed experimental, and if I run
a highly-important system and must use e.g. 2.4.26, I want 2.4.26 and not the
IPsec stuff.

I spent many hours trying to work around this manually, but it's not possible.
Grsecurity patches the regular 2.4 IP stack, which does not exist in Debian's
2.4.20 and up kernels anymore. I could work around it, but it would be
a Sysiphus task which I am not willing to take on. Furthermore, since I'd be
introducing yet another kernel version, I would possibly be introducing bugs.

I think it is thus adequate of me to suggest using the vanilla kernel sources
instead of the Debian kernels. If you do not like this, then please complain
to the kernel maintainers.

If you want to use a Debian kernel-source package, you can retrieve the
original vanilla source by unpatching it:

  apt-get install kernel-source-2.4.26 kernel-patch-debian-2.4.26
  tar xfj /usr/src/kernel-source-2.4.26.tar.bz2
  cd kernel-source-2.4.26
  /usr/src/kernel-patches/all/2.4.26/unpatch/debian

I don't claim this is a good or nice solution. The corresponding debate is
here:

  http://lists.debian.org/debian-devel/2003/debian-devel-200309/msg01133.html

-- martin f. krafft <madduck@debian.org>, Tue, 21 Sep 2003 13:12:54 +0200
