From: R0b0t1 <r030t1@gmail.com>
To: gentoo-dev@lists.gentoo.org, blueness@gentoo.org
Subject: Re: [gentoo-dev] Regarding the State of PaX in the tree
Date: Sun, 15 Apr 2018 20:25:10 -0500 [thread overview]
Message-ID: <CAAD4mYgT+Lo4uTAMHG2nZsA41ky=Gs9qw1WVrjdHL1E2BSb-+Q@mail.gmail.com> (raw)
In-Reply-To: <8afcc662-4ca4-bf0b-d23a-cba93746ed70@gentoo.org>
On Sun, Apr 15, 2018 at 7:04 PM, Anthony G. Basile <blueness@gentoo.org> wrote:
> Hi everyone,
>
> Magnus (aka Zorry) and I have been talking about what to do with PaX in
> the Gentoo tree. A year ago, grsecurity.net upstream stopped providing
> open versions of their patches to the community and this basically
> brought an end to sys-kernel/hardened-sources. I waited a while before
> masking the package in the hope that upstream might reconsider. There
> were also some forks but I didn't have much confidence in them. I'm not
> sure that any of these forks have been able to keep up past
> meltdown/specter.
>
> It may be time to remove sys-kernel/hardened-sources completely from the
> tree. Removing the package is easy, but the issue is there is a lot of
> machinery in the tree that revolves around supporting a PaX kernel.
> This involves things like setting PaX flags on some executables either
> by touching the ELF program headers or the file's extended attributes,
> or applying custom patches.
>
> The question then is, do we remove all this code? As thing stands, its
> just lint that serves no current purpose, so removing it would clean
> things up. The disadvantage is it would be a pita to ever restore it if
> we ever wanted it back. While upstream doesn't provide their patch for
> free, some users/companies can purchase the grsecurity patches and still
> use a custom hardened-sources kernel with Gentoo. But since we haven't
> been able to test the pax markings/custom patches in about a year, its
> hard to say how useful that code might still be.
>
> I'm just emailing everyone to get advice.
>
I retain hope that compatible features will be added to the kernel.
Consequently, I would appreciate if the machinery can be left. If it
becomes a maintenance burden in the future I suspect that would be a
good time to remove it.
Cheers,
R0b0t1
next prev parent reply other threads:[~2018-04-16 1:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-16 0:04 [gentoo-dev] Regarding the State of PaX in the tree Anthony G. Basile
2018-04-16 1:25 ` R0b0t1 [this message]
2018-04-16 2:25 ` Sam Jorna
2018-04-16 6:06 ` Michał Górny
2018-04-16 7:22 ` Ulrich Mueller
2018-04-16 12:20 ` Anthony G. Basile
2018-04-16 8:05 ` Marc Schiffbauer
2018-04-16 12:12 ` Anthony G. Basile
2018-04-16 17:11 ` Patrick McLean
2018-04-19 12:05 ` Marc Schiffbauer
2018-04-16 9:14 ` Hanno Böck
2018-04-16 12:31 ` Anthony G. Basile
2018-04-16 14:26 ` Francesco Riosa
2018-04-16 17:53 ` Toralf Förster
2018-04-16 18:16 ` Jason Zaman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAD4mYgT+Lo4uTAMHG2nZsA41ky=Gs9qw1WVrjdHL1E2BSb-+Q@mail.gmail.com' \
--to=r030t1@gmail.com \
--cc=blueness@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox