[gentoo-dev] News Item: Future Support of hardened-sources Kernel

[gentoo-dev] News Item: Future Support of hardened-sources Kernel

[Anthony G. Basile]

Hi everyone, for your consideration:

Title: Future Support of hardened-sources Kernel
Content-Type: text/plain
Posted: 2015-10-21
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Keyword: hardened
Display-If-Keyword: pax_kernel
Display-If-Profile: hardened/linux/amd64
Display-If-Profile: hardened/linux/amd64/no-multilib
Display-If-Profile: hardened/linux/amd64/no-multilib/selinux
Display-If-Profile: hardened/linux/amd64/selinux
Display-If-Profile: hardened/linux/amd64/x32
Display-If-Profile: hardened/linux/arm/armv6j
Display-If-Profile: hardened/linux/arm/armv7a
Display-If-Profile: hardened/linux/ia64
Display-If-Profile: hardened/linux/musl/amd64
Display-If-Profile: hardened/linux/musl/amd64/x32
Display-If-Profile: hardened/linux/musl/arm/armv7a
Display-If-Profile: hardened/linux/musl/mips
Display-If-Profile: hardened/linux/musl/mips/mipsel
Display-If-Profile: hardened/linux/musl/ppc
Display-If-Profile: hardened/linux/musl/x86
Display-If-Profile: hardened/linux/powerpc/ppc32
Display-If-Profile: hardened/linux/powerpc/ppc64/32bit-userland
Display-If-Profile: hardened/linux/powerpc/ppc64/64bit-userland
Display-If-Profile: hardened/linux/uclibc/amd64
Display-If-Profile: hardened/linux/uclibc/arm/armv7a
Display-If-Profile: hardened/linux/uclibc/mips
Display-If-Profile: hardened/linux/uclibc/mips/mipsel
Display-If-Profile: hardened/linux/uclibc/ppc
Display-If-Profile: hardened/linux/uclibc/x86
Display-If-Profile: hardened/linux/x86
Display-If-Profile: hardened/linux/x86/selinux

For many years, the Grsecurity team [1] has been supporting two versions of
their security patches against the Linux kernel, a stable and a testing
version, and Gentoo has made both of these available to our users 
through the
hardened-sources package.  However, on August 26 of this year, the team
announced they would no longer be making the stable version publicly
available, citing trademark infringement by a major embedded systems company
as the reason. [2]  The stable patches are now only available to sponsors of
Grsecurity and can no longer be distributed in Gentoo.  However, the 
team did
assure us that they would continue to release and support the testing 
version
as they have in the past.

What does this means for users of hardened-sources?  Gentoo will continue to
make the testing version available through our hardened-sources package 
but we
will have to drop support for the 3.x series.  In a few days, those ebuilds
will be removed from the tree and you will be required to upgrade to a 4.x
series kernel.  Since the hardened-sources package only installs the kernel
source tree, you can continue using a currently built 3.x series kernel but
bear in mind that we cannot support you, nor will upstream.  Also keep 
in mind
that the 4.x series will not be as reliable as the 3.x series was, so
reporting bugs promptly will be even more important.  Gentoo will 
continue to
work closely with upstream to stay on top of any problems, but be 
prepared for
the occasional "bad" kernel.  The more reporting we receive from our users,
the better we will be able to decide which hardened-sources kernels to mark
stable and which to drop.

Refs.
[1] https://grsecurity.net
[2] https://grsecurity.net/announce.php

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

[Daniel Campbell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/18/2015 06:36 PM, Anthony G. Basile wrote:
> Hi everyone, for your consideration:
> 
> Title: Future Support of hardened-sources Kernel Content-Type:
> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 
> Display-If-Installed: sys-kernel/hardened-sources 
> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel 
> Display-If-Profile: hardened/linux/amd64 Display-If-Profile:
> hardened/linux/amd64/no-multilib Display-If-Profile:
> hardened/linux/amd64/no-multilib/selinux Display-If-Profile:
> hardened/linux/amd64/selinux Display-If-Profile:
> hardened/linux/amd64/x32 Display-If-Profile:
> hardened/linux/arm/armv6j Display-If-Profile:
> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 
> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile:
> hardened/linux/musl/amd64/x32 Display-If-Profile:
> hardened/linux/musl/arm/armv7a Display-If-Profile:
> hardened/linux/musl/mips Display-If-Profile:
> hardened/linux/musl/mips/mipsel Display-If-Profile:
> hardened/linux/musl/ppc Display-If-Profile:
> hardened/linux/musl/x86 Display-If-Profile:
> hardened/linux/powerpc/ppc32 Display-If-Profile:
> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile:
> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile:
> hardened/linux/uclibc/amd64 Display-If-Profile:
> hardened/linux/uclibc/arm/armv7a Display-If-Profile:
> hardened/linux/uclibc/mips Display-If-Profile:
> hardened/linux/uclibc/mips/mipsel Display-If-Profile:
> hardened/linux/uclibc/ppc Display-If-Profile:
> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 
> Display-If-Profile: hardened/linux/x86/selinux
> 
> For many years, the Grsecurity team [1] has been supporting two
> versions of their security patches against the Linux kernel, a
> stable and a testing version, and Gentoo has made both of these
> available to our users through the hardened-sources package.
> However, on August 26 of this year, the team announced they would
> no longer be making the stable version publicly available, citing
> trademark infringement by a major embedded systems company as the
> reason. [2]  The stable patches are now only available to sponsors
> of Grsecurity and can no longer be distributed in Gentoo.  However,
> the team did assure us that they would continue to release and
> support the testing version as they have in the past.
> 
> What does this means for users of hardened-sources?  Gentoo will 
> continue to make the testing version available through our
> hardened-sources package but we will have to drop support for the
> 3.x series.  In a few days, those ebuilds will be removed from the
> tree and you will be required to upgrade to a 4.x series kernel.
> Since the hardened-sources package only installs the kernel source
> tree, you can continue using a currently built 3.x series kernel
> but bear in mind that we cannot support you, nor will upstream.
> Also keep in mind that the 4.x series will not be as reliable as
> the 3.x series was, so reporting bugs promptly will be even more
> important.  Gentoo will continue to work closely with upstream to
> stay on top of any problems, but be prepared for the occasional
> "bad" kernel.  The more reporting we receive from our users, the
> better we will be able to decide which hardened-sources kernels to
> mark stable and which to drop.
> 
> Refs. [1] https://grsecurity.net [2]
> https://grsecurity.net/announce.php
> 

Looks like a good write-up to me. Concise and clear, with the URL for
those who care enough about the fiasco.

However, does this mean the hardened kernel package must stay in ~arch
since it's technically the testing version? Or would we keyword it
based on our own findings of stability?

- -- 
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWJfnzAAoJEAEkDpRQOeFwr/4QAM7tug2y/HtbXtBGbIzAiDQ9
nDHBxIvuSl949oojTxl+x0GqkskOu77VIj1baCXmoxO2sOwCZfwksdDFjU7cPrNr
vjoIxBmefgz6FBeJxJaVMiMPVR7MC+ZHcLmBoP6LShmBPpEchY0kf2+JQmaWydU4
bDHmVxA+H0fNhUuXxGdD4xMvvSZShWm3uGnSZy1D9llJ587xHO9XlEkQdbiypGuC
S8g1gJw96Vtynmy90shrTYrYkKdOxMUyV4HX7Wsb88IT3dURDFGXSuhy9/B2jLt0
3LmMiOeLzblIqiqxOxuhre+yB6mA9mkcTjG/M1nKKd1fHS4/l48clvVLpEMZRUSl
oE0Ex2+eU/u4YjrDdRCErhhh4RvDkNOW43+1wblhCUoTd9WcpHc/74KdvI4oPgu4
Xe7HeVE7Xo/FT21kZvhuw4VRkerKAT+KITNCtRcp5mfXp4dnr4UonE+Vd39Ul4/v
e2bkZKHbJI+uq4VBFNXnBKp7Pw/RewGm3PpkU8YrRQwI/AS1kHirP+/aWhnx2uHV
WLJxBXw/kBNNKwGANPJQ2/ip4CXUILbJzTnmLxvlYt+61DE/K3CNlN4lPbidK/xR
SU55y8COMFdDAtWUzEUXldh340Ob5KWRk00v0O+oarqj1oVfACsM44lWSYrNAZQs
8EkcfKsY6lmHbsr9B5I1
=2Z3x
-----END PGP SIGNATURE-----

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

[Rich Freeman]

On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbell <zlg@gentoo.org> wrote:
> However, does this mean the hardened kernel package must stay in ~arch
> since it's technically the testing version? Or would we keyword it
> based on our own findings of stability?

I'd recommend that the team does whatever adds the most value.  If it
doesn't want to do QA on released versions then I suggest it all stay
as ~arch.  If you're going to do your own QA I don't see why you can't
mark versions as stable - just make it clear to users what stable
means.

BTW, while they're only tracking the most recent stable branch of the
kernel, they ARE tracking a stable branch, and not mainline.

-- 
Rich

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

[Anthony G. Basile]

On 10/20/15 4:23 AM, Daniel Campbell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 10/18/2015 06:36 PM, Anthony G. Basile wrote:
>> Hi everyone, for your consideration:
>>
>> Title: Future Support of hardened-sources Kernel Content-Type:
>> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0
>> Display-If-Installed: sys-kernel/hardened-sources
>> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel
>> Display-If-Profile: hardened/linux/amd64 Display-If-Profile:
>> hardened/linux/amd64/no-multilib Display-If-Profile:
>> hardened/linux/amd64/no-multilib/selinux Display-If-Profile:
>> hardened/linux/amd64/selinux Display-If-Profile:
>> hardened/linux/amd64/x32 Display-If-Profile:
>> hardened/linux/arm/armv6j Display-If-Profile:
>> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64
>> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile:
>> hardened/linux/musl/amd64/x32 Display-If-Profile:
>> hardened/linux/musl/arm/armv7a Display-If-Profile:
>> hardened/linux/musl/mips Display-If-Profile:
>> hardened/linux/musl/mips/mipsel Display-If-Profile:
>> hardened/linux/musl/ppc Display-If-Profile:
>> hardened/linux/musl/x86 Display-If-Profile:
>> hardened/linux/powerpc/ppc32 Display-If-Profile:
>> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile:
>> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile:
>> hardened/linux/uclibc/amd64 Display-If-Profile:
>> hardened/linux/uclibc/arm/armv7a Display-If-Profile:
>> hardened/linux/uclibc/mips Display-If-Profile:
>> hardened/linux/uclibc/mips/mipsel Display-If-Profile:
>> hardened/linux/uclibc/ppc Display-If-Profile:
>> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86
>> Display-If-Profile: hardened/linux/x86/selinux
>>
>> For many years, the Grsecurity team [1] has been supporting two
>> versions of their security patches against the Linux kernel, a
>> stable and a testing version, and Gentoo has made both of these
>> available to our users through the hardened-sources package.
>> However, on August 26 of this year, the team announced they would
>> no longer be making the stable version publicly available, citing
>> trademark infringement by a major embedded systems company as the
>> reason. [2]  The stable patches are now only available to sponsors
>> of Grsecurity and can no longer be distributed in Gentoo.  However,
>> the team did assure us that they would continue to release and
>> support the testing version as they have in the past.
>>
>> What does this means for users of hardened-sources?  Gentoo will
>> continue to make the testing version available through our
>> hardened-sources package but we will have to drop support for the
>> 3.x series.  In a few days, those ebuilds will be removed from the
>> tree and you will be required to upgrade to a 4.x series kernel.
>> Since the hardened-sources package only installs the kernel source
>> tree, you can continue using a currently built 3.x series kernel
>> but bear in mind that we cannot support you, nor will upstream.
>> Also keep in mind that the 4.x series will not be as reliable as
>> the 3.x series was, so reporting bugs promptly will be even more
>> important.  Gentoo will continue to work closely with upstream to
>> stay on top of any problems, but be prepared for the occasional
>> "bad" kernel.  The more reporting we receive from our users, the
>> better we will be able to decide which hardened-sources kernels to
>> mark stable and which to drop.
>>
>> Refs. [1] https://grsecurity.net [2]
>> https://grsecurity.net/announce.php
>>
> Looks like a good write-up to me. Concise and clear, with the URL for
> those who care enough about the fiasco.
>
> However, does this mean the hardened kernel package must stay in ~arch
> since it's technically the testing version? Or would we keyword it
> based on our own findings of stability?
>
I will continue to mark the best amd64 and x86 versions as stable.


-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

[Anthony G. Basile]

On 10/20/15 4:45 AM, Rich Freeman wrote:
> On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbell <zlg@gentoo.org> wrote:
>> However, does this mean the hardened kernel package must stay in ~arch
>> since it's technically the testing version? Or would we keyword it
>> based on our own findings of stability?
> I'd recommend that the team does whatever adds the most value.  If it
> doesn't want to do QA on released versions then I suggest it all stay
> as ~arch.  If you're going to do your own QA I don't see why you can't
> mark versions as stable - just make it clear to users what stable
> means.
>
> BTW, while they're only tracking the most recent stable branch of the
> kernel, they ARE tracking a stable branch, and not mainline.
>
I have been marking hardened-sources based on the grsecurity testing 
patches as stable since forever and will continue with the same 
practice.  "Testing" means they add new features there first and those 
new features can break stuff.  We identify breakage in bug reports and 
hold back to versions that are known to work until upstream fixes the 
broken features.  It works pretty good in practices and most users of 
hardened-sources already know this. What they may not know is that the 
3.x is no longer public.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

[gentoo-dev] Re: News Item: Future Support of hardened-sources Kernel

[Duncan]

Anthony G. Basile posted on Tue, 20 Oct 2015 05:34:33 -0400 as excerpted:

> On 10/20/15 4:45 AM, Rich Freeman wrote:
>> On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbell <zlg@gentoo.org>
>> wrote:
>>> However, does this mean the hardened kernel package must stay in ~arch
>>> since it's technically the testing version? Or would we keyword it
>>> based on our own findings of stability?
>> I'd recommend that the team does whatever adds the most value.  If it
>> doesn't want to do QA on released versions then I suggest it all stay
>> as ~arch.  If you're going to do your own QA I don't see why you can't
>> mark versions as stable - just make it clear to users what stable
>> means.
>>
>> BTW, while they're only tracking the most recent stable branch of the
>> kernel, they ARE tracking a stable branch, and not mainline.
>>
> I have been marking hardened-sources based on the grsecurity testing
> patches as stable since forever and will continue with the same
> practice.  "Testing" means they add new features there first and those
> new features can break stuff.  We identify breakage in bug reports and
> hold back to versions that are known to work until upstream fixes the
> broken features.  It works pretty good in practices and most users of
> hardened-sources already know this. What they may not know is that the
> 3.x is no longer public.

And FWIW, ~arch vs stable in gentoo has always been relative not 
necessarily to what upstream considers testing vs stable, but rather, to 
the general stability of the ebuild (and patches, etc) specifically in 
/gentoo/.

Of course there has been quite some maintainer leeway in that, and often 
the maintainer will choose to follow upstream stability guidance when 
choosing versions to stabilize, but that isn't necessarily the case.  
Strictly speaking, it has /always/ been about gentoo-level, not upstream-
level, stability.

So particularly in cases like this where upstream official testing is all 
that upstream makes available, any gentoo stable indicator must /clearly/ 
be based on gentoo-level stability, /maybe/ based partly on the opinions 
of other distros shipping it, but obviously not based on upstream's 
classification, since they don't even make a stable classified version 
available to the general FLOSS community.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman