This is an umbrella bug for discussing/changing each kernel setting and some sysctls with security impact. Since those most likely need to be discussed one by one, opening up an umbrella issue for this makes sense to me.
I would like to propose postponing to merge all these patches: 1) They are all mostly untested, especially on the more fragile architectures, and we have no idea what the problems will be. We are *days* before a new kernel scheduled to be released and I do not feel comfortable with merging some of them without *months* of testing. 2) I do not want to delay Core Update 146. We already have a massive amount of patches on the list that need to be reviewed, tested and released. Core Update 146 cannot have them because we wanted a kernel-only release that was small and therefore easy to test and quick to release. 3) We have as of today received another bunch of hardware vulnerabilities on Intel processors. The mitigations for those should be released ASAP. Anyone in favour? Objections?
Ultimately, I agree. Indeed, especially the patches and patchsets handed in yesterday evening are untested, as I wanted to send them to the list before being unavailable for some time, so we could ship at least some of them in Core Update 146. As of yesterday evening, it is very unlikely that this will be possible without delaying Core Update 146 too much. I have totally underestimated the complexity and effort required for this topic. Nevertheless, I seems to be most important to me. If I may suggest something: Let's pack as many patches into Core Update 146 as possible, if this can be done within the next days and is unlikely to break anything. We will have to ship Kernels later either way, and can include the rest of those hardening patches then - if needed, one at a time. As they say: "Good security is expensive. Bad security is unaffordable." :-)