Re: [gentoo-hardened] RIP hardened-sources

public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Daniel Cegiełka" <daniel.cegielka@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] RIP hardened-sources
Date: Sat, 29 Apr 2017 20:43:39 +0200	[thread overview]
Message-ID: <CAPLrYESvsyoR3RQ=zJzUAzQrFLhQSQbCU0SN3iaET1AEoa7xEA@mail.gmail.com> (raw)
In-Reply-To: <20170429190426.5b8e6bb0@gentp.lnet>

2017-04-29 19:04 GMT+02:00 Luis Ressel <aranea@aixah.de>:
> On Sat, 29 Apr 2017 17:56:10 +0200
> Daniel Cegiełka <daniel.cegielka@gmail.com> wrote:
>
>> By the way, I don't know what the Gentoo Hardened or Alpine Linux
>> have done wrong, that now are left out in the cold.
>
> That's the part I don't get either. Since the only possible motivation
> I can think of for this move is to generate more income, they could've
> at least tried asking the community for donations first.

It's more complex:

https://www.theregister.co.uk/2015/08/27/grsecurity/

I don't judge them. I'm interested in the future of projects that were
heavily dependent on PaX (Gentoo Hardened, Alpine Linux).

> Now, I suppose someone is going to answer "If you'd be willing do
> regularily donate to them, you might as well get a subscription", but I
> fear this might have some serious drawbacks. In the past years,
> the Gentoo Hardened devs have invested quite some work to make sure
> most applications in the tree work on grsec/PaX-enabled kernels without
> too much fallout. But now, there's suddently a lot less motivation to
> keep up this work.

Ned Lud (or Solar, but != Designer) has put a lot of work into the
launch of Gentoo Hardened and, of course, the popularization of PaX.
Old times.. :)


>> Instead of complaining, we have to decide what to do next. In my
>> opinion, it is critical to maintain support for PaX* for future
>> kernels. It will not be easy, so I'm right away saying that Gentoo
>> Hardened, Alpine Linux etc. should join forces in realizing this
>> project. I think there will be more people who will be interested
>> in...
>
> It might be hard to come up with the manpower needed to maintain such a
> large kernel patch. Assuming upstream stand by their decision in
> the long run, I think the only reasonable long-term approach would be to
> try mainlining as much as possible and forget about the rest. And as
> Brad and PaX Team can surely tell us, that'd be a gargantuan task if it
> is at all possible.

Patch weight is not the problem.. KSPP is. They copy (raw copy.. I
hope) code from PaX and bring it to the kernel:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c054ee3bbf69ebcabb1f3218b7faf4b1b37a8eb6

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5509cc18daa7f82bcc553be70df2117c8eedc16

This means that there will be conflicts in the future. I don't claim
that maintaining PaX support will be easy, but it's possible to do so.

Daniel

next prev parent reply	other threads:[~2017-04-29 18:44 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-29 11:49 [gentoo-hardened] RIP hardened-sources Luis Ressel
2017-04-29 12:47 ` Alex Efros
2017-04-29 15:56   ` Daniel Cegiełka
2017-04-29 16:52     ` Javier Juan Martinez Cabezon
2017-04-29 16:58       ` Luis Ressel
2017-04-30  8:15         ` Javier Juan Martinez Cabezon
2017-04-29 17:04     ` Luis Ressel
2017-04-29 18:43       ` Daniel Cegiełka [this message]
2017-04-29 20:34         ` "Tóth Attila"
2017-04-29 22:04           ` Brant Williams
2017-04-30 13:00           ` Andrew Savchenko
2017-04-30 13:16             ` Alex Efros
2017-04-30 14:34               ` Andrew Savchenko
2017-04-30 14:56                 ` "Tóth Attila"
2017-04-30 13:07   ` Andrew Savchenko
2017-04-29 13:11 ` Alex Efros
2017-04-29 13:46   ` PaX Team
2017-04-29 16:46     ` Alex Efros
2017-04-30 11:08       ` Alex Efros
2017-04-30 11:50         ` SK
2017-04-30 11:55           ` SK
2017-04-30 12:32             ` Andrew Savchenko
2017-04-30 12:56             ` Alex Efros
2017-04-30 13:28               ` Andrew Savchenko
2017-04-30 13:07           ` Daniel Cegiełka
2017-04-29 15:30   ` Paweł Hajdan, Jr.

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAPLrYESvsyoR3RQ=zJzUAzQrFLhQSQbCU0SN3iaET1AEoa7xEA@mail.gmail.com' \
    --to=daniel.cegielka@gmail.com \
    --cc=gentoo-hardened@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox