Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

["Michał Górny" <mgorny@gentoo.org>]

W dniu nie, 20.08.2017 o godzinie 00∶39 -0500, użytkownik R0b0t1
napisał:
> On Sat, Aug 19, 2017 at 6:34 AM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
> > El 19/08/17 a las 13:18, Aaron W. Swenson escribió:
> > > On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> > > > El 19/08/17 a las 12:37, Aaron W. Swenson escribió:
> > > > > On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> > > > > > Hi!
> > > > > > 
> > > > > > I'd like to get this one up by Saturday so that we can proceed with
> > > > > > masking and removing of the hardened-sources after upstream stopped
> > > > > > releasing new patches.
> > > > > 
> > > > > I hope I’m not too late.
> > > > > 
> > > > > > We'd like to note that all the userspace hardening and MAC support
> > > > > > for SELinux provided by Gentoo Hardened will still remain there and
> > > > > > is unaffected by this removal.
> > > > > 
> > > > > Where is there? I think you’re talking about the packages, but the news
> > > > > item is about the kernels. It would help to be more specific here.
> > > > > 
> > > > > That’s all I had that the others hadn’t touched on.
> > > > 
> > > > Do you think something like that is better then?
> > > > 
> > > > We'd like to note that all the userspace hardening and MAC support
> > > > for SELinux provided by Gentoo Hardened will still remain available
> > > > on the portage. Keep in mind though that the security provided by
> > > > these features will be weakened a bit when using
> > > > sys-kernel/gentoo-sources. Also, all PaX related packages other than
> > > > the hardened-sources will remain available for the time being.
> > > > 
> > > > 
> > > 
> > > Much better. We should mention that we’re specifically discussing
> > > packages and not portage itself. At least, that’s my understanding from
> > > your edit.
> > > 
> > > Here’s my take on it:
> > > 
> > > We'd like to note that all the userspace hardening and MAC support for
> > > SELinux provided by Gentoo Hardened will still remain in the packages
> > > found in portage. Keep in mind, though, that the security provided by
> > > these features will be weakened a bit when using
> > > sys-kernel/gentoo-sources. Also, all PaX related packages, except
> > > sys-kernel/hardened-sources, will remain available for the time being.
> > 
> > I updated the news item with your propossal. Thanks a lot :)
> > 
> 
> The discussion is nice but no one has actually touched on the
> technical merits of removing the packages besides "they are old."
> There's plenty of old software in portage. Why not remove it first?

Please select some, and I'll be happy to treeclean it ASAP.

> I had a similar issue with the GCC developer who removed GCJ support.
> I asked him for any justification at all for the removal and he had
> none but some vague statements about it creating work. I would have
> taken any more specific example he gave at face value, but he didn't
> want to give one. I was left to conclude he didn't have one to give.
> 
> So I ask again: On what basis are the hardened sources being removed
> from the tree?

Old kernel versions are a natural vulnerability targets. Even if they
are not vulnerable at the moment, they surely will be soon enough.

> At this point I am far less interested in making sure the sources stay
> in the tree than I am in forcing you to justify your actions, because
> I suspect your attempt to do so will be entertaining.
> 

This is called inappropriate behavior and in a civilized distribution it
should result in disciplinary action. However, that's just my opinion
and I'm free to express it just as you are free to express yours.

-- 
Best regards,
Michał Górny