Hello guys,

The script fail to download kernel from the 4.x branch :)

Best regards,
Nico

'make localmodconfig' parses the result of lsmod and turns modules into static and disables all others. It makes a very secure and light kernel, suitable for production.

it is recommended to plug all device to allow detection of the needed devices.

Do you think it would be worth giving a choice to the user, like: "Compile Kernel with:
(1) grsec + shared modules (default)
(2) grsec + static modules (make localmodconfig). In this case, please plug all your needed devices for detection.

Kind regards,
Kellogs

==> Installing grsecurity stable version 3.1 using kernel version 3.14.51 ... 
==> Installing packages needed for building the kernel ... OK
==> Verifying linux-3.14.51.tar ... OK
==> Verifying grsecurity-3.1-3.14.51-201509112212.patch ... Failed

And when i tried to get this file manually by
curl --progress-bar --remote-name --tlsv1 --proto =https https://grsecurity.net/stable/grsecurity-3.1-3.14.51-201509112212.patch
it actually returned a 404 not found error.

Writing to you here, because found no other way.
Found about you yesterday, from:
https://forums.grsecurity.net/viewtopic.php?f=3&t=4051
Really, only yesterday! And imagine would I not have wanted to know about this package before even venturing on my own! What I mean is, have a look:

Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835

and quite some following (because politics, social relation, not to say forceful-although-benign-and-rightful intrusion of one's views --study the comments of my script-- is needed) that my script has on:

Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16&t=108616&p=516898

I gave your script my first read. Warning: I work slowly, notihing at all here fast to happen. ...work slowly other than when talking/writing... then it depends.

Pls. let's stay ahead of the destruction in FOSS Linux, and contribute to keep the sole most important hope: the grsecuritiy-hardening, for the freedom of FOSS Linux to remain in the world. See my article buried in Gentoo Forums what I mean:

https://forums.gentoo.org/viewtopic-t-998108-start-300.html#7624042

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr

I'm trying to use this installer on a brand new install of Debian Jessie 8.1.0 but it just fails as follows:

==> Checking current versions of grsecurity ...

################################################################## 100.0%

################################################################## 100.0%

################################################################## 100.0%

==> 1. grsecurity version 3.1 for kernel 3.2.69, revision 201507251415 (stable version)
==> 2. grsecurity version 3.1 for kernel 3.14.48, revision 201507261203 (stable version)
==> 3. grsecurity version 3.1 for kernel 4.1.3, revision 201507261202 (testing version)
==> Please make your selection: [1-3]: 2
==> Remove build tools after install? (build-essential bin86 kernel-package libncurses5-dev zlib1g-dev gcc-4.9-plugin-dev bc): [y/N]
==> Installing grsecurity stable version 3.1 using kernel version 3.14.48 ...
==> Fetching kernel GPG key ... Failed

I should add that I am little more than a script kiddie when it comes to these types of things.

Hello, your script reminds me of my script, that we we written over year ago (more like 2 afair).

We had such script and then upgraded it by adding

• GPG checking of downloaded files
• checking of expected checksums
• edited the .conf files to use grsec, and given 4 configuration/security levels
• checking prerequested libraries
• deterministic build - each time you should get identical .deb
• scripts to automatically update the release (get new config, write it's hash, edit changelog, edit config version number etc)

https://github.com/mempo/deterministic-kernel/tree/master
https://github.com/mempo/deterministic-kernel/blob/master/kernel-build/linux-mempo/build.sh
and more scripts

We distribute resulting kernels at deb repo on http://deb.mempo.org/

Since you are also interested in the Grsecurity for Debian, why not join forces, there are many things to improve together :)

Contact us, see contact section on http://mempo.org and join IRC chat #mempo on server irc.oftc.net or freenode (or irc2p from geti2p.net)

installer.sh: 73: installer.sh: let: not found

let is a plugin of bash and not part of stock Debian bash.
How to enable "let" in bash?

Please consider adding these options to invocations of curl against https:// resources.

         --tlsv1
         --proto =https

Otherwise http downgrade attacks are at risk.

gpg --recv-keys 6092693E

Using short key id's is bad for security, see:
http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html

I recommend using not just using long key id's, but the full key fingerprint.

All I get is the following responses for any package download choice:

==> Remove build tools after install? (build-essential bin86 kernel-package libncurses5-dev zlib1g-dev gcc-4.9-plugin-dev bc): [y/N]
==> Installing grsecurity stable version 3.1 using kernel version 3.2.69 ...
==> Installing packages needed for building the kernel ... Failed

grsecurity installer is usefull in hosting environments, but leaving development tools on a server might be an issue. Why not propose users to remove all developments tools after kernel compilation, running for example:

apt-get remove build-essential g++ gcc kernel-package dpkg-dev make

Checking gpg exit codes only is insufficient. Quote Werner Koch (gnupg lead developer):

"there is no clear distinction between the codes and for proper error reporting you are advised to use the --status-fd messages."

(I am struggling with this as well in other projects, therefore I wrote gpg-bash-lib.)

apt-cache policy gcc | grep 'Installed:' | cut -c 16-18
returns:
gcc:
Installé : 4:4.8.2-3
Candidat : 4:4.8.2-4
Table de version :
4:4.8.2-4 0
800 http://ftp2.fr.debian.org/debian/ sid/main amd64 Packages
*** 4:4.8.2-3 0
500 http://ftp2.fr.debian.org/debian/ testing/main amd64 Packages
100 /var/lib/dpkg/status
4:4.7.2-1 0
500 http://ftp2.fr.debian.org/debian/ stable/main amd64 Packages

The script returns an error:
apt-cache policy gcc | grep 'Installed:' | cut -c 16-18

Will not work.

There is currently no license file added or otherwise license stated.

Could you please state licensing of this code?

I need to install grsecurity on a Debian 8.2 "jessie" machine with Liquid Feedback. Is it supported by the installer?