From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D3DDF1396D0 for ; Tue, 15 Aug 2017 20:07:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 02061E0EE4; Tue, 15 Aug 2017 20:07:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 89519E0E06; Tue, 15 Aug 2017 20:07:11 +0000 (UTC) Received: from [192.168.1.124] (c83-254-18-209.bredband.comhem.se [83.254.18.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: klondike) by smtp.gentoo.org (Postfix) with ESMTPSA id 894EC3417E4; Tue, 15 Aug 2017 20:07:09 +0000 (UTC) Subject: Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal To: gentoo-dev@lists.gentoo.org References: <9e03d55e-7212-1bd9-370a-0a570bf18aa3@gentoo.org> <22931.7313.608217.152058@a1i15.kph.uni-mainz.de> Cc: pr@gentoo.org, gentoo-hardened@lists.gentoo.org From: "Francisco Blas Izquierdo Riera (klondike)" Message-ID: <89529177-d896-42a0-e57c-2d4bb07edbf1@gentoo.org> Date: Tue, 15 Aug 2017 22:07:05 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <22931.7313.608217.152058@a1i15.kph.uni-mainz.de> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="x0wE67beKT2BRee0OwC82DfrM86nFwaHl" X-Archives-Salt: a999b806-a01c-46d2-bd69-1e5247577e24 X-Archives-Hash: a55c0feb7d8d8ef8560567e6a7b39c5e This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --x0wE67beKT2BRee0OwC82DfrM86nFwaHl Content-Type: multipart/mixed; boundary="7cOEMPXTjtxuXFpcP0Exn2G9rRwXDaj7Q" From: "Francisco Blas Izquierdo Riera (klondike)" To: gentoo-dev@lists.gentoo.org Cc: pr@gentoo.org, gentoo-hardened@lists.gentoo.org Message-ID: <89529177-d896-42a0-e57c-2d4bb07edbf1@gentoo.org> Subject: Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal References: <9e03d55e-7212-1bd9-370a-0a570bf18aa3@gentoo.org> <22931.7313.608217.152058@a1i15.kph.uni-mainz.de> In-Reply-To: <22931.7313.608217.152058@a1i15.kph.uni-mainz.de> --7cOEMPXTjtxuXFpcP0Exn2G9rRwXDaj7Q Content-Type: multipart/mixed; boundary="------------2FD2508DCA0D81AA5F106E6F" This is a multi-part message in MIME format. --------------2FD2508DCA0D81AA5F106E6F Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable El 15/08/17 a las 18:08, Ulrich Mueller escribi=F3: >>>>>> On Tue, 15 Aug 2017, Francisco Blas Izquierdo Riera (klondike) wro= te: >> Updated the news item following comments from dilfridge, mrueg and >> floppym. Also made it display to users of hardened profiles. > Some very minor comments: > >> Author: Francisco Blas Izquierdo Riera (klondike) > Format of the line is "Real Name ", so I'd suggest to > drop the nick in parentheses, especially since it is there in the > e-mail address anyway. > >> Because of that we will be masking the hardened-sources on the 27th of= >> August and will proceed to remove then from the tree by the end of >> September. [...] > s/then/them/ > >> As an alternative, for users happy keeping themselves on the stable >> 4.9 branch of the kernel minipli, another Grsec user, is forward >> porting the patches on [3]. > I had difficulties parsing this sentence. Insert a comma after > "kernel"? Also there is spurious whitespace before "stable". > > Ulrich Thanks for your input, I have addressed your comments on the attached news item. I have also added a note regarding the other PaX related packages as these won't stil be removed. Klondike --------------2FD2508DCA0D81AA5F106E6F Content-Type: text/plain; charset=UTF-8; name="2017-08-19-hardened-sources-removal.en.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="2017-08-19-hardened-sources-removal.en.txt" Title: sys-kernel/hardened-sources removal Author: Francisco Blas Izquierdo Riera Posted: 2017-08-19 Revision: 3 News-Item-Format: 2.0 Display-If-Installed: sys-kernel/hardened-sources Display-If-Profile: hardened/linux/* As you may know the core of sys-kernel/hardened-sources have been the patches published by Grsec. Sadly, their developers have stopped making these patches freely available [1]. This is a full stop of any public updates and not only stable ones as was announced two years ago[2]. As a result, the Gentoo Hardened team is unable to keep providing further updates of the patches, and although the hardened-sources have proved (when using a hardened toolchain) being resistant against certain attacks like the stack guard page jump techniques proposed by Stack Clash, we can't ensure a regular patching schedule and therefore, the security of the users of these kernel sources. Because of that we will be masking the hardened-sources on the 27th of August and will proceed to remove them from the tree by the end of September. Obviously, we will reinstate the package again if the developers decide to make their patches publicly available again. Our recommendation is that users should consider using instead sys-kernel/gentoo-sources. As an alternative, for users happy keeping themselves on the stable 4.9 branch of the kernel; minipli, another Grsec user, is forward porting the patches on [3]. Strcat from Copperhead OS is making his own version of the patches forward ported to the latest version of the Linux tree at [4]. The Gentoo Hardened team can't make any statement regarding the security, reliability or update availability of either those patches as we aren't providing them and can't therefore make any recommendation regarding their use. We'd like to note that all the userspace hardening and MAC support for SELinux provided by Gentoo Hardened will still remain there and is unaffected by this removal. Also, all PaX related packages other than the hardened-sources will remain for the time being. [1] https://grsecurity.net/passing_the_baton.php [2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-o= f- hardened-sources-kernel.html [3] https://github.com/minipli/linux-unofficial_grsec [4] https://github.com/copperhead/linux-hardened --------------2FD2508DCA0D81AA5F106E6F-- --7cOEMPXTjtxuXFpcP0Exn2G9rRwXDaj7Q-- --x0wE67beKT2BRee0OwC82DfrM86nFwaHl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIxBAEBCgAbBQJZk1RqFBxrbG9uZGlrZUBnZW50b28ub3JnAAoJEPS90u/o/3j5 z6AP/RfmJVwpRGJ/T7XswPZLQsbbkpiwMrLJtlUciMH9Mr+bh2lEuKqg8cgvO5G1 l2XKecUznL42hsKUnFzJwGrBs0izfmK6andY4qwbkw1QMN9nfmXHg9r3wau3OdKq uMtwqxxlTZywto6xsSW17F3BjVOZnwS+P42k7vcc945GLhDLmk4eit7L695HvqEH E8hhjemuyAYBu+tT5gd5Quv+SWGASaa9ONQAxL8w1zNJAOvRXixyye/RY4bWwCIu kCggSyV4T42A8AdkWIs9yae1JquzFSVGM4pF+UnfbmfP4eXsP3e4+1mMpe5mZIMk nQfXJOJQonWN3r4Dq6pPAdah+uriQv61vnxSFOoQfI7mSZZNcbAz71znL8YO0ENK oqWTWm3ZcEOlHEkUhjKPr8EPI39ydZ6+vSFLQgJLDOjsM0b6YaG00VUphbkYoNVB cL/uOADNm2Hw1Qnus4c+x6zVjy4N8Z+eT9XIKeaENfh78iODptFv7wi7/jeA+Icw 0o8SthzrXLTOxmkaw5P2Nf8GmpW7YvwuAIKwRXVKjqNx9c/1UwnQHkT12753rRwt Wwblpxti90+B+soRkwpX4EfXlDHYUxtde7EaGAZIZLmJ03XXDxtZmkU2chlReZ0i 5W69sUap6pGpT7eeKx1blQjogPyzlGN6mIk3tCn6Fbrzeel3 =nNyZ -----END PGP SIGNATURE----- --x0wE67beKT2BRee0OwC82DfrM86nFwaHl--