Morris told you the same thing PaX Team said, and you ignored him?

But I think it’s really not much of an issue nowadays, Peter Busser’s claim from a few years ago that people who need big address spaces should just use 64bit systems is now matched by the common availability of hardware.

I agree that the way GNU_STACK works seems like a bad idea. If it was up to me things would have been done differently.

does Exec-Shield have any kernel self-protection features? that’s about half of PaX’s feature set.

> There are trade-offs between security and usability, Exec-Shield is more towards the compatibility end of this than PaX.

what kind of compatibility problems plague PaX that don’t exist under Exec-Shield? i know of none, if an app runs afoul of any security feature, that feature can be simply disabled for that app, not unlike it is under Exec-Shield (think GNU_STACK which happens to be a bad idea, but i digress ;).

> Last time I checked PaX halved the available address space

do you realise that there’re *two* non-exec implementations for i386 in PaX? SEGMEXEC is only one of the two, the other, PAGEEXEC, will either use the NX bit (if supported by the CPU) or the TLB manipulation trick. distros can have a kernel supporting all of them and PaX will default to the best method automatically.

Crispin is no longer an active developer of apparmor, so he is an advocate or just a user as per your definition.

I will respond to your second post separately, but you really do have to stop with the SELinux praise, it is not the only and/or best solution.

http://etbe.coker.com.au/2008/09/04/opinions-facts-apparmor/

Also you should read my above post on this topic. One of the amusing facts I discovered when researching it is that Crispin is still listed as the project lead for AppArmor. That has got to be a bad sign for the project.

Better competition and development is good for everybody, better than having selinux as the default implicitly trusted protection on every system.