[gentoo-dev] New item for sys-kernel/hardened-sources removal

[gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 452 bytes --]

Hi!

I'd like to get this one up by Saturday so that we can proceed with
masking and removing of the hardened-sources after upstream stopped
releasing new patches.

This is my first time writting a news item so all input will be appreciated.

As for the rationale behind this, we need to clearly inform users as to
the options available for hardening their system kernels after the
removal of the hardened-sources.

Sincerely,
Klondike


[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 1948 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources

As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.

Sadly, their developers have stopped making these freely available [1].
As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove then from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the  stable
4.9 branch of the kernel minipli, another Grsec user, is forward
porting the patches on [2]. The Gentoo Hardened team can't make any
statement regarding the security, reliability or update availability
of those patches as we aren't providing them and can't therefore
make any recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal.

Finally we'd like to send a sincere thank you to Brad Spengler and
the PaX Team for making their hardening patches freely available all
this time.



[1] https://grsecurity.net/passing_the_baton.php
[2] https://github.com/minipli/linux-unofficial_grsec

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 688 bytes --]

El 15/08/17 a las 17:01, Francisco Blas Izquierdo Riera (klondike) escribió:
> Hi!
>
> I'd like to get this one up by Saturday so that we can proceed with
> masking and removing of the hardened-sources after upstream stopped
> releasing new patches.
>
> This is my first time writting a news item so all input will be appreciated.
>
> As for the rationale behind this, we need to clearly inform users as to
> the options available for hardening their system kernels after the
> removal of the hardened-sources.
>
> Sincerely,
> Klondike
>
Updated the news item following comments from dilfridge, mrueg and
floppym. Also made it display to users of hardened profiles.


[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 2239 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 2
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Profile: hardened/linux/*

As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.

Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].

As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove then from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the  stable
4.9 branch of the kernel minipli, another Grsec user, is forward
porting the patches on [3].

Strcat from Copperhead OS is making his own version of the patches
forward ported to the latest version of the Linux tree at [4].

The Gentoo Hardened team can't make any statement regarding the
security, reliability or update availability of either those patches
as we aren't providing them and can't therefore make any
recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal.

[1] https://grsecurity.net/passing_the_baton.php
[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
hardened-sources-kernel.html
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[R0b0t1]

On Tue, Aug 15, 2017 at 10:01 AM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> Hi!
>
> I'd like to get this one up by Saturday so that we can proceed with
> masking and removing of the hardened-sources after upstream stopped
> releasing new patches.

Where was this decision discussed? The last available kernel is
apparently receiving long term support, there may not be any reason to
remove it. If it isn't broken and creating work yet I'm not sure why
anyone cares.

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 948 bytes --]

>>>>> On Tue, 15 Aug 2017, Francisco Blas Izquierdo Riera (klondike) wrote:

> Updated the news item following comments from dilfridge, mrueg and
> floppym. Also made it display to users of hardened profiles.

Some very minor comments:

> Author: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>

Format of the line is "Real Name <email@address>", so I'd suggest to
drop the nick in parentheses, especially since it is there in the
e-mail address anyway.

> Because of that we will be masking the hardened-sources on the 27th of
> August and will proceed to remove then from the tree by the end of
> September. [...]

s/then/them/

> As an alternative, for users happy keeping themselves on the  stable
> 4.9 branch of the kernel minipli, another Grsec user, is forward
> porting the patches on [3].

I had difficulties parsing this sentence. Insert a comma after
"kernel"? Also there is spurious whitespace before "stable".

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 953 bytes --]

El 15/08/17 a las 17:50, R0b0t1 escribió:
> Where was this decision discussed?
https://archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff

And many other threads in that list for example, those are just blueness
(the package maintainer) conclussions.
> The last available kernel is
> apparently receiving long term support, there may not be any reason to
> remove it.
Not by the original upstream, and definitively not in the way in which
Grsec used to (manually cherrypicking security related commits and not
just those marked as security related).

Although minipli's kernel patches are good and I personally recommend
them, this is not something the Gentoo Hardened team will do. Also they
probably should be renamed something else.
> If it isn't broken and creating work yet I'm not sure why
> anyone cares.

Go to #gentoo-hardened and see how there is people asking about this
again and again :P



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 1249 bytes --]

El 15/08/17 a las 18:08, Ulrich Mueller escribió:
>>>>>> On Tue, 15 Aug 2017, Francisco Blas Izquierdo Riera (klondike) wrote:
>> Updated the news item following comments from dilfridge, mrueg and
>> floppym. Also made it display to users of hardened profiles.
> Some very minor comments:
>
>> Author: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
> Format of the line is "Real Name <email@address>", so I'd suggest to
> drop the nick in parentheses, especially since it is there in the
> e-mail address anyway.
>
>> Because of that we will be masking the hardened-sources on the 27th of
>> August and will proceed to remove then from the tree by the end of
>> September. [...]
> s/then/them/
>
>> As an alternative, for users happy keeping themselves on the  stable
>> 4.9 branch of the kernel minipli, another Grsec user, is forward
>> porting the patches on [3].
> I had difficulties parsing this sentence. Insert a comma after
> "kernel"? Also there is spurious whitespace before "stable".
>
> Ulrich

Thanks for your input, I have addressed your comments on the attached
news item.

I have also added a note regarding the other PaX related packages as
these won't stil be removed.


Klondike


[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 2374 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 3
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Profile: hardened/linux/*

As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.

Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].

As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove them from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the stable
4.9 branch of the kernel; minipli, another Grsec user, is forward
porting the patches on [3].

Strcat from Copperhead OS is making his own version of the patches
forward ported to the latest version of the Linux tree at [4].

The Gentoo Hardened team can't make any statement regarding the
security, reliability or update availability of either those patches
as we aren't providing them and can't therefore make any
recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal. Also, all PaX related packages other
than the hardened-sources will remain for the time being.

[1] https://grsecurity.net/passing_the_baton.php
[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
hardened-sources-kernel.html
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Marek Szuba]

[-- Attachment #1.1: Type: text/plain, Size: 660 bytes --]

On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:

> I'd like to get this one up by Saturday so that we can proceed with
> masking and removing of the hardened-sources after upstream stopped
> releasing new patches.
> 
> This is my first time writting a news item so all input will be appreciated.

Two tiny bits of formal nitpicking from my side:
 - it's "grsecurity" (not a typo, they do use a lowercase g except when
the name appears at the beginning of a sentence), not "grsec";
 - the patches were not *distributed by* grsecurity, they *are*
grsecurity. The vendor's name is Open Source Security, Inc.


-- 
Marecki


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 835 bytes --]

El 16/08/17 a las 09:40, Marek Szuba escribió:
> Two tiny bits of formal nitpicking from my side:
>  - it's "grsecurity" (not a typo, they do use a lowercase g except when
> the name appears at the beginning of a sentence), not "grsec";
>  - the patches were not *distributed by* grsecurity, they *are*
> grsecurity. The vendor's name is Open Source Security, Inc.

Nowadays it is, but this hasn't always been the case. You'll notice the
presence of a /dev/grsec and you'll also find grsec referenced accross
some old patches. Anyways I changed it.

The same applies to Open Source Security, Inc. the company was founded
on 2008 but grsecurity has been around for much longer. That's why I
prefer to refer to Brad Spengler and The PaX team here as they are still
the real upstream behind Open Source Security, Inc.



[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 2320 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 4
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Profile: hardened/linux/*

As you may know the core of sys-kernel/hardened-sources have been the
grsecuirty patches.

Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].

As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove them from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the stable
4.9 branch of the kernel; minipli, another grsecurity user, is forward
porting the patches on [3].

Strcat from Copperhead OS is making his own version of the patches
forward ported to the latest version of the Linux tree at [4].

The Gentoo Hardened team can't make any statement regarding the
security, reliability or update availability of either those patches
as we aren't providing them and can't therefore make any
recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal. Also, all PaX related packages other
than the hardened-sources will remain for the time being.

[1] https://grsecurity.net/passing_the_baton.php
[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
hardened-sources-kernel.html
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Duncan]

Francisco Blas Izquierdo Riera (klondike) posted on Wed, 16 Aug 2017
12:09:57 +0200 as excerpted:

> s you may know the core of sys-kernel/hardened-sources have been the
> grsecuirty patches.

New typo: s/grsecuirty/grsecurity/

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1.1: Type: text/plain, Size: 436 bytes --]

El 16/08/17 a las 18:01, Duncan escribió:
> Francisco Blas Izquierdo Riera (klondike) posted on Wed, 16 Aug 2017
> 12:09:57 +0200 as excerpted:
>
>> s you may know the core of sys-kernel/hardened-sources have been the
>> grsecuirty patches.
> New typo: s/grsecuirty/grsecurity/
>
Thanks, I fixed it :)

@all I'll get this pushed up before going to bed tomorrow so I guess
this is the last chance for any comments left :)


[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 2320 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 4
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Profile: hardened/linux/*

As you may know the core of sys-kernel/hardened-sources have been the
grsecurity patches.

Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].

As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove them from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the stable
4.9 branch of the kernel; minipli, another grsecurity user, is forward
porting the patches on [3].

Strcat from Copperhead OS is making his own version of the patches
forward ported to the latest version of the Linux tree at [4].

The Gentoo Hardened team can't make any statement regarding the
security, reliability or update availability of either those patches
as we aren't providing them and can't therefore make any
recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal. Also, all PaX related packages other
than the hardened-sources will remain for the time being.

[1] https://grsecurity.net/passing_the_baton.php
[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
hardened-sources-kernel.html
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[R0b0t1]

On Tue, Aug 15, 2017 at 3:03 PM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> El 15/08/17 a las 17:50, R0b0t1 escribió:
>> Where was this decision discussed?
> https://archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff
>
> And many other threads in that list for example, those are just blueness
> (the package maintainer) conclussions.
>> The last available kernel is
>> apparently receiving long term support, there may not be any reason to
>> remove it.
> Not by the original upstream, and definitively not in the way in which
> Grsec used to (manually cherrypicking security related commits and not
> just those marked as security related).
>

All blueness says in that is that he can't personally support the
patches. That's fine, and nobody that I know of ever expected him to
do that. However, until they are unfixably broken, why remove them?
Keeping them until a suitable replacement is available seems like the
best option available.

There's no criteria in that notice for when they would be removed.
What criteria was used to decide they are generating useless work and
should be removed?

> Although minipli's kernel patches are good and I personally recommend
> them, this is not something the Gentoo Hardened team will do. Also they
> probably should be renamed something else.

I'm not sure anyone is asking the hardened team to do anything, except
for people on the hardened team who want to remove the patches.

>> If it isn't broken and creating work yet I'm not sure why
>> anyone cares.
>
> Go to #gentoo-hardened and see how there is people asking about this
> again and again :P
>

I'm not sure what you mean. There are people asking about it, but that
doesn't necessarily mean they want it to happen. If something is done
people are going to discuss it regardless of what it is.


Please understand, I don't want to keep an old version of the kernel
and associated patches around forever, just until a replacement is
actually found.

R0b0t1.

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 661 bytes --]

On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> Hi!
> 
> I'd like to get this one up by Saturday so that we can proceed with
> masking and removing of the hardened-sources after upstream stopped
> releasing new patches.

I hope I’m not too late.

> We'd like to note that all the userspace hardening and MAC support
> for SELinux provided by Gentoo Hardened will still remain there and
> is unaffected by this removal.

Where is there? I think you’re talking about the packages, but the news
item is about the kernels. It would help to be more specific here.

That’s all I had that the others hadn’t touched on.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 376 bytes --]

[gentoo-dev] About sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 3664 bytes --]

Hi!

The gentoo-dev list is not the right place to keep up discussion on why
or how the hardened-sources will be removed. Not this thread which is
about the news item.

Most packages just get masked and removed in 30 days for example without
sending a news item just an e-mail to gentoo-dev-announce. The only
reason why we are sending it is because most Gentoo Hardened users were
using the hardened-sources and deserve a heads-up as to what will happen
to them and what can they do after (as there will be no clear and simple
upgrade path with similar features).

Please do send further answers to gentoo-hardened which is the porject's
mailing list.

El 18/08/17 a las 02:59, R0b0t1 escribió:
> On Tue, Aug 15, 2017 at 3:03 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> El 15/08/17 a las 17:50, R0b0t1 escribió:
>>> Where was this decision discussed?
>> https://archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff
>>
>> And many other threads in that list for example, those are just blueness
>> (the package maintainer) conclussions.
>>> The last available kernel is
>>> apparently receiving long term support, there may not be any reason to
>>> remove it.
>> Not by the original upstream, and definitively not in the way in which
>> Grsec used to (manually cherrypicking security related commits and not
>> just those marked as security related).
>>
> All blueness says in that is that he can't personally support the
> patches. That's fine, and nobody that I know of ever expected him to
> do that. However, until they are unfixably broken, why remove them?
> Keeping them until a suitable replacement is available seems like the
> best option available.
> There's no criteria in that notice for when they would be removed.
> What criteria was used to decide they are generating useless work and
> should be removed?
They are already unfixably broken. They are affected by stack clash
(when using certain obscure configs but nonetheless). They are to all
effects unmaintained (as in upstream not publishing patches we can
provide to you). And I'd rather not look at what other fixes came in the
4.9 tree since then that I have missed.
>> Although minipli's kernel patches are good and I personally recommend
>> them, this is not something the Gentoo Hardened team will do. Also they
>> probably should be renamed something else.
> I'm not sure anyone is asking the hardened team to do anything, except
> for people on the hardened team who want to remove the patches.
Then please address blueness about this (on the aforementioned thread)
and not me. I'm just the messenger who was asked to deliver the news.
>>> If it isn't broken and creating work yet I'm not sure why
>>> anyone cares.
>> Go to #gentoo-hardened and see how there is people asking about this
>> again and again :P
>>
> I'm not sure what you mean. There are people asking about it, but that
> doesn't necessarily mean they want it to happen. If something is done
> people are going to discuss it regardless of what it is.
I mean people is asking "what happens with the hardened-sources?" and we
having to answer. Now at least we have a clear path of action announced. 
> Please understand, I don't want to keep an old version of the kernel
> and associated patches around forever, just until a replacement is
> actually found.
There are a few replacements, we aren't just providing an ebuild in the
portage tree for them (except for gentoo-sources, of course).

If you want to keep the ebuilds and patches I recommend you set up a
personal overlay instead.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 1176 bytes --]

El 19/08/17 a las 12:37, Aaron W. Swenson escribió:
> On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
>> Hi!
>>
>> I'd like to get this one up by Saturday so that we can proceed with
>> masking and removing of the hardened-sources after upstream stopped
>> releasing new patches.
> I hope I’m not too late.
>
>> We'd like to note that all the userspace hardening and MAC support
>> for SELinux provided by Gentoo Hardened will still remain there and
>> is unaffected by this removal.
> Where is there? I think you’re talking about the packages, but the news
> item is about the kernels. It would help to be more specific here.
>
> That’s all I had that the others hadn’t touched on.

Do you think something like that is better then?

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain available
on the portage. Keep in mind though that the security provided by
these features will be weakened a bit when using
sys-kernel/gentoo-sources. Also, all PaX related packages other than
the hardened-sources will remain available for the time being.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 1891 bytes --]

On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 19/08/17 a las 12:37, Aaron W. Swenson escribió:
> > On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> >> Hi!
> >>
> >> I'd like to get this one up by Saturday so that we can proceed with
> >> masking and removing of the hardened-sources after upstream stopped
> >> releasing new patches.
> > I hope I’m not too late.
> >
> >> We'd like to note that all the userspace hardening and MAC support
> >> for SELinux provided by Gentoo Hardened will still remain there and
> >> is unaffected by this removal.
> > Where is there? I think you’re talking about the packages, but the news
> > item is about the kernels. It would help to be more specific here.
> >
> > That’s all I had that the others hadn’t touched on.
> 
> Do you think something like that is better then?
> 
> We'd like to note that all the userspace hardening and MAC support
> for SELinux provided by Gentoo Hardened will still remain available
> on the portage. Keep in mind though that the security provided by
> these features will be weakened a bit when using
> sys-kernel/gentoo-sources. Also, all PaX related packages other than
> the hardened-sources will remain available for the time being.
> 
> 

Much better. We should mention that we’re specifically discussing
packages and not portage itself. At least, that’s my understanding from
your edit.

Here’s my take on it:

We'd like to note that all the userspace hardening and MAC support for
SELinux provided by Gentoo Hardened will still remain in the packages
found in portage. Keep in mind, though, that the security provided by
these features will be weakened a bit when using
sys-kernel/gentoo-sources. Also, all PaX related packages, except
sys-kernel/hardened-sources, will remain available for the time being.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 376 bytes --]

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 2039 bytes --]

El 19/08/17 a las 13:18, Aaron W. Swenson escribió:
> On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote:
>> El 19/08/17 a las 12:37, Aaron W. Swenson escribió:
>>> On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>> Hi!
>>>>
>>>> I'd like to get this one up by Saturday so that we can proceed with
>>>> masking and removing of the hardened-sources after upstream stopped
>>>> releasing new patches.
>>> I hope I’m not too late.
>>>
>>>> We'd like to note that all the userspace hardening and MAC support
>>>> for SELinux provided by Gentoo Hardened will still remain there and
>>>> is unaffected by this removal.
>>> Where is there? I think you’re talking about the packages, but the news
>>> item is about the kernels. It would help to be more specific here.
>>>
>>> That’s all I had that the others hadn’t touched on.
>> Do you think something like that is better then?
>>
>> We'd like to note that all the userspace hardening and MAC support
>> for SELinux provided by Gentoo Hardened will still remain available
>> on the portage. Keep in mind though that the security provided by
>> these features will be weakened a bit when using
>> sys-kernel/gentoo-sources. Also, all PaX related packages other than
>> the hardened-sources will remain available for the time being.
>>
>>
> Much better. We should mention that we’re specifically discussing
> packages and not portage itself. At least, that’s my understanding from
> your edit.
>
> Here’s my take on it:
>
> We'd like to note that all the userspace hardening and MAC support for
> SELinux provided by Gentoo Hardened will still remain in the packages
> found in portage. Keep in mind, though, that the security provided by
> these features will be weakened a bit when using
> sys-kernel/gentoo-sources. Also, all PaX related packages, except
> sys-kernel/hardened-sources, will remain available for the time being.

I updated the news item with your propossal. Thanks a lot :)



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

[gentoo-dev] Re: New item for sys-kernel/hardened-sources removal

[Duncan]

Aaron W. Swenson posted on Sat, 19 Aug 2017 07:18:20 -0400 as excerpted:

[Proposed news item excerpt]

> We'd like to note that all the userspace hardening and MAC support for
> SELinux provided by Gentoo Hardened will still remain in the packages
> found in portage.

s/portage/the main gentoo tree/

Portage is a package manager, the default certainly, but still one of
three.  "The portage tree" usage remains around for legacy reasons,
but "the gentoo tree" or even "the main gentoo tree" (because
overlays) is arguably more accurate modern usage.

[Just my contribution to the shed color debate. =:^P  ]

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Re: New item for sys-kernel/hardened-sources removal

[Michał Górny]

W dniu sob, 19.08.2017 o godzinie 22∶15 +0000, użytkownik Duncan
napisał:
> Aaron W. Swenson posted on Sat, 19 Aug 2017 07:18:20 -0400 as excerpted:
> 
> [Proposed news item excerpt]
> 
> > We'd like to note that all the userspace hardening and MAC support for
> > SELinux provided by Gentoo Hardened will still remain in the packages
> > found in portage.
> 
> s/portage/the main gentoo tree/
> 

s/tree/repository/

Though I'd say it's even better to say 'the Gentoo repository'.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[R0b0t1]

On Sat, Aug 19, 2017 at 6:34 AM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> El 19/08/17 a las 13:18, Aaron W. Swenson escribió:
>> On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote:
>>> El 19/08/17 a las 12:37, Aaron W. Swenson escribió:
>>>> On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>>> Hi!
>>>>>
>>>>> I'd like to get this one up by Saturday so that we can proceed with
>>>>> masking and removing of the hardened-sources after upstream stopped
>>>>> releasing new patches.
>>>> I hope I’m not too late.
>>>>
>>>>> We'd like to note that all the userspace hardening and MAC support
>>>>> for SELinux provided by Gentoo Hardened will still remain there and
>>>>> is unaffected by this removal.
>>>> Where is there? I think you’re talking about the packages, but the news
>>>> item is about the kernels. It would help to be more specific here.
>>>>
>>>> That’s all I had that the others hadn’t touched on.
>>> Do you think something like that is better then?
>>>
>>> We'd like to note that all the userspace hardening and MAC support
>>> for SELinux provided by Gentoo Hardened will still remain available
>>> on the portage. Keep in mind though that the security provided by
>>> these features will be weakened a bit when using
>>> sys-kernel/gentoo-sources. Also, all PaX related packages other than
>>> the hardened-sources will remain available for the time being.
>>>
>>>
>> Much better. We should mention that we’re specifically discussing
>> packages and not portage itself. At least, that’s my understanding from
>> your edit.
>>
>> Here’s my take on it:
>>
>> We'd like to note that all the userspace hardening and MAC support for
>> SELinux provided by Gentoo Hardened will still remain in the packages
>> found in portage. Keep in mind, though, that the security provided by
>> these features will be weakened a bit when using
>> sys-kernel/gentoo-sources. Also, all PaX related packages, except
>> sys-kernel/hardened-sources, will remain available for the time being.
>
> I updated the news item with your propossal. Thanks a lot :)
>

The discussion is nice but no one has actually touched on the
technical merits of removing the packages besides "they are old."
There's plenty of old software in portage. Why not remove it first?

I had a similar issue with the GCC developer who removed GCJ support.
I asked him for any justification at all for the removal and he had
none but some vague statements about it creating work. I would have
taken any more specific example he gave at face value, but he didn't
want to give one. I was left to conclude he didn't have one to give.

So I ask again: On what basis are the hardened sources being removed
from the tree?

At this point I am far less interested in making sure the sources stay
in the tree than I am in forcing you to justify your actions, because
I suspect your attempt to do so will be entertaining.

R0b0t1.

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[R0b0t1]

On Sun, Aug 20, 2017 at 12:39 AM, R0b0t1 <r030t1@gmail.com> wrote:
> On Sat, Aug 19, 2017 at 6:34 AM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> El 19/08/17 a las 13:18, Aaron W. Swenson escribió:
>>> On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>> El 19/08/17 a las 12:37, Aaron W. Swenson escribió:
>>>>> On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>>>> Hi!
>>>>>>
>>>>>> I'd like to get this one up by Saturday so that we can proceed with
>>>>>> masking and removing of the hardened-sources after upstream stopped
>>>>>> releasing new patches.
>>>>> I hope I’m not too late.
>>>>>
>>>>>> We'd like to note that all the userspace hardening and MAC support
>>>>>> for SELinux provided by Gentoo Hardened will still remain there and
>>>>>> is unaffected by this removal.
>>>>> Where is there? I think you’re talking about the packages, but the news
>>>>> item is about the kernels. It would help to be more specific here.
>>>>>
>>>>> That’s all I had that the others hadn’t touched on.
>>>> Do you think something like that is better then?
>>>>
>>>> We'd like to note that all the userspace hardening and MAC support
>>>> for SELinux provided by Gentoo Hardened will still remain available
>>>> on the portage. Keep in mind though that the security provided by
>>>> these features will be weakened a bit when using
>>>> sys-kernel/gentoo-sources. Also, all PaX related packages other than
>>>> the hardened-sources will remain available for the time being.
>>>>
>>>>
>>> Much better. We should mention that we’re specifically discussing
>>> packages and not portage itself. At least, that’s my understanding from
>>> your edit.
>>>
>>> Here’s my take on it:
>>>
>>> We'd like to note that all the userspace hardening and MAC support for
>>> SELinux provided by Gentoo Hardened will still remain in the packages
>>> found in portage. Keep in mind, though, that the security provided by
>>> these features will be weakened a bit when using
>>> sys-kernel/gentoo-sources. Also, all PaX related packages, except
>>> sys-kernel/hardened-sources, will remain available for the time being.
>>
>> I updated the news item with your propossal. Thanks a lot :)
>>
>
> The discussion is nice but no one has actually touched on the
> technical merits of removing the packages besides "they are old."
> There's plenty of old software in portage. Why not remove it first?
>
> I had a similar issue with the GCC developer who removed GCJ support.
> I asked him for any justification at all for the removal and he had
> none but some vague statements about it creating work. I would have
> taken any more specific example he gave at face value, but he didn't
> want to give one. I was left to conclude he didn't have one to give.
>
> So I ask again: On what basis are the hardened sources being removed
> from the tree?
>
> At this point I am far less interested in making sure the sources stay
> in the tree than I am in forcing you to justify your actions, because
> I suspect your attempt to do so will be entertaining.
>

I just had a bad day so perhaps that last bit was a tad blunt.
Consider replacing it with this:

There is nothing that holds you accountable to me. However, I am
honestly trying to understand why you are doing what you are doing and
would like you to explain your decision making process to me. If you
can't explain it to me, then how do you know that you have selected
the best course of action?

If it was a matter of opinion I can accept you will probably go "I'm a
developer" and then ignore me. However I don't think it has gotten to
that point yet, and you are doing the thing being discussed for what
seems to be nebulous and poorly defined reasons.

R0b0t1.

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

[Michał Górny]

W dniu nie, 20.08.2017 o godzinie 00∶39 -0500, użytkownik R0b0t1
napisał:
> On Sat, Aug 19, 2017 at 6:34 AM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
> > El 19/08/17 a las 13:18, Aaron W. Swenson escribió:
> > > On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> > > > El 19/08/17 a las 12:37, Aaron W. Swenson escribió:
> > > > > On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> > > > > > Hi!
> > > > > > 
> > > > > > I'd like to get this one up by Saturday so that we can proceed with
> > > > > > masking and removing of the hardened-sources after upstream stopped
> > > > > > releasing new patches.
> > > > > 
> > > > > I hope I’m not too late.
> > > > > 
> > > > > > We'd like to note that all the userspace hardening and MAC support
> > > > > > for SELinux provided by Gentoo Hardened will still remain there and
> > > > > > is unaffected by this removal.
> > > > > 
> > > > > Where is there? I think you’re talking about the packages, but the news
> > > > > item is about the kernels. It would help to be more specific here.
> > > > > 
> > > > > That’s all I had that the others hadn’t touched on.
> > > > 
> > > > Do you think something like that is better then?
> > > > 
> > > > We'd like to note that all the userspace hardening and MAC support
> > > > for SELinux provided by Gentoo Hardened will still remain available
> > > > on the portage. Keep in mind though that the security provided by
> > > > these features will be weakened a bit when using
> > > > sys-kernel/gentoo-sources. Also, all PaX related packages other than
> > > > the hardened-sources will remain available for the time being.
> > > > 
> > > > 
> > > 
> > > Much better. We should mention that we’re specifically discussing
> > > packages and not portage itself. At least, that’s my understanding from
> > > your edit.
> > > 
> > > Here’s my take on it:
> > > 
> > > We'd like to note that all the userspace hardening and MAC support for
> > > SELinux provided by Gentoo Hardened will still remain in the packages
> > > found in portage. Keep in mind, though, that the security provided by
> > > these features will be weakened a bit when using
> > > sys-kernel/gentoo-sources. Also, all PaX related packages, except
> > > sys-kernel/hardened-sources, will remain available for the time being.
> > 
> > I updated the news item with your propossal. Thanks a lot :)
> > 
> 
> The discussion is nice but no one has actually touched on the
> technical merits of removing the packages besides "they are old."
> There's plenty of old software in portage. Why not remove it first?

Please select some, and I'll be happy to treeclean it ASAP.

> I had a similar issue with the GCC developer who removed GCJ support.
> I asked him for any justification at all for the removal and he had
> none but some vague statements about it creating work. I would have
> taken any more specific example he gave at face value, but he didn't
> want to give one. I was left to conclude he didn't have one to give.
> 
> So I ask again: On what basis are the hardened sources being removed
> from the tree?

Old kernel versions are a natural vulnerability targets. Even if they
are not vulnerable at the moment, they surely will be soon enough.

> At this point I am far less interested in making sure the sources stay
> in the tree than I am in forcing you to justify your actions, because
> I suspect your attempt to do so will be entertaining.
> 

This is called inappropriate behavior and in a civilized distribution it
should result in disciplinary action. However, that's just my opinion
and I'm free to express it just as you are free to express yours.

-- 
Best regards,
Michał Górny

[gentoo-dev] Re: New item for sys-kernel/hardened-sources removal

[Duncan]

Michał Górny posted on Sun, 20 Aug 2017 09:53:54 +0200 as excerpted:

> W dniu nie, 20.08.2017 o godzinie 00∶39 -0500, użytkownik R0b0t1
> napisał:
>> 
>> The discussion is nice but no one has actually touched on the
>> technical merits of removing the packages besides "they are old."

>> So I ask again: On what basis are the hardened sources being removed
>> from the tree?
> 
> Old kernel versions are a natural vulnerability targets. Even if they
> are not vulnerable at the moment, they surely will be soon enough.

This.

Hardened-sources isn't just some generic package, where perhaps masking 
it as vulnerable but leaving it in the tree for those wishing to use it 
for its primary purpose /despite/ vulns, might arguably be justified.

In this case, that "primary purpose" *is* resistance to attack, and 
leaving old and now unsupported versions in the tree when they're 
guaranteed to be increasingly vulnerable to new attacks is simply 
irresponsible, with no logical argument that can be made otherwise, thus 
the removal.

Were it any other package, with any other primary purpose... but it's not.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Re: New item for sys-kernel/hardened-sources removal

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 617 bytes --]

El 20/08/17 a las 00:44, Michał Górny escribió:
> W dniu sob, 19.08.2017 o godzinie 22∶15 +0000, użytkownik Duncan
> napisał:
>> Aaron W. Swenson posted on Sat, 19 Aug 2017 07:18:20 -0400 as excerpted:
>>
>> [Proposed news item excerpt]
>>
>>> We'd like to note that all the userspace hardening and MAC support for
>>> SELinux provided by Gentoo Hardened will still remain in the packages
>>> found in portage.
>> s/portage/the main gentoo tree/
>>
> s/tree/repository/
>
> Though I'd say it's even better to say 'the Gentoo repository'.
>
I have addressed this. Thanks for the input :)



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]