1 | | We should install a grsecurity kernel on debuild.mit.edu. |
| 1 | We should find a mechanism to lock down chroots on debuild.mit.edu. |
| 2 | |
| 3 | Users need to become root within the build chroots to install packages. Normally, chrooting isn't considered a security mechanism, and so by design it's possible for root to escape from a chroot, meaning that any user who has root within the build chroot can potentially acquire root outside of the chroot. |
| 4 | |
| 5 | This is a blocker for any sort of setup where debuild.mit.edu is open to the community. |