From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9B1C3139694 for ; Sat, 24 Jun 2017 10:04:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4D9AC254009; Sat, 24 Jun 2017 10:04:11 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0984CE0C39 for ; Sat, 24 Jun 2017 10:04:10 +0000 (UTC) Received: from localhost (unknown [IPv6:2a01:e34:eeaa:6bd0:4ecc:6aff:fe03:1cfc]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: aballier) by smtp.gentoo.org (Postfix) with ESMTPSA id 1383F34197B; Sat, 24 Jun 2017 10:04:08 +0000 (UTC) Date: Sat, 24 Jun 2017 12:04:03 +0200 From: Alexis Ballier To: gentoo-dev@lists.gentoo.org Cc: Patrice Clement Subject: Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream Message-ID: <20170624120403.0944ba76@gentoo.org> In-Reply-To: References: Organization: Gentoo X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: fe219262-d8b4-4718-95f7-20afd9c80269 X-Archives-Hash: 8c7f99b6e859e5cd29219376ebbe0c5f On Fri, 23 Jun 2017 12:28:27 -0400 "Anthony G. Basile" wrote: > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of > work to properly maintain PaX markings in our package management > system and there was no part of Gentoo that wasn't touched by issues > stemming from PaX support. Good luck to them at providing a complete userland ecosystem for using pax protection. Good luck at getting people accept and review their often crashing asm patches at upstream projects that won't even be able to test their benefits. Maybe we should start a business for this ? :) http://static.sstic.org/videos2015/SSTIC_2015-06-03_P08_CLIP.mp4 (This is for Patrice) We'll need to decide what to do with things like USE=pic. For media packages this is not something you usually want to enable as you can bear the 10Mb relocations at startup to have 10% or more performance improvement when reading your 2hours long movie. Alexis.