From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 72D9A1396D0 for ; Sun, 20 Aug 2017 05:40:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1DAE1E077A; Sun, 20 Aug 2017 05:39:55 +0000 (UTC) Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AD6B61FC002 for ; Sun, 20 Aug 2017 05:39:54 +0000 (UTC) Received: by mail-yw0-x234.google.com with SMTP id h127so8688470ywf.0 for ; Sat, 19 Aug 2017 22:39:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=G/nw94mZjba8ajbpW8nMyjahfwZepsfqgwD9gZFdRus=; b=n2YZ1rDGO4Godd4S29k2cLgjuk0Ypt+7/GscFFa3QN5c7C/QH60rl94CxiLQDG2IFz xs0F9sDpzqKOiC/hQnH9qy7iLJRi17IQQmW99Pyn+M6RnrjDpGehjKDOgubqh8kD/aY6 WisYL3PjyecntFrNyfc0U+7R1fTU+uey14I1DYIdxaraI/VoG3owiVUlIbHCMxBQQyaF tJPQszEHtEnT4alkHhI6vttWEZrd00AM97rdM3sny9rBreQcn3XwIQoJOnXW542AONZU S+SJ70+9SDhaHjicXbc/F7u2BaNaLj666yesuciWac7hZjnNP14beHgt8hArozXBI7TE PWuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=G/nw94mZjba8ajbpW8nMyjahfwZepsfqgwD9gZFdRus=; b=YDN3o0LsJrS2+/jSChQ0XDVQh6nqNkZnxExXPENpgWuFHeCI7kih6M1wy1MHyHtaGW ReGuWqm+BC8U3DgmUEOI9u6ygKADtY2TnFSQ6oV1jP28p5n7WWibaUW1tP7+ryWGP0zc sN0hiwVToYABMhB6oDfb7oDEf3wgtBz+iSioA1RalOqAxIhBFOU+iaEgGL0mwzoimAao kVaY1RvcR9tEJJ+pyDEcJ5Xz9+wEblA1wQ7puP/e4X/C4sQDqjBMflGzvqoOi6oLfElO qnUt29HjJHf5A9nNRwtpld29pE8rTXCZZxELs0upU73ynujqxd9qaEn6JkBnmwTaQRbm e9Hw== X-Gm-Message-State: AHYfb5jz/R6uq36Gu32295gCzQdpsFAXMrl8R54P7qdz0rJ8fb5xfdus n+27gQulx7E7Rm7JyzvCcFCy3E2n+w== X-Received: by 10.37.204.147 with SMTP id l141mr5468284ybf.61.1503207593379; Sat, 19 Aug 2017 22:39:53 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.129.211.10 with HTTP; Sat, 19 Aug 2017 22:39:52 -0700 (PDT) In-Reply-To: <04b1f829-48fd-da30-4770-03ddc297b712@gentoo.org> References: <20170819103741.GB7666@martineau.grandmasfridge.local> <47bb3f3f-fcdf-aace-faba-d913fccaab8e@gentoo.org> <20170819111820.GC7666@martineau.grandmasfridge.local> <04b1f829-48fd-da30-4770-03ddc297b712@gentoo.org> From: R0b0t1 Date: Sun, 20 Aug 2017 00:39:52 -0500 Message-ID: Subject: Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Archives-Salt: ec212295-4c27-4a09-bb93-7fa9b9450afd X-Archives-Hash: 0644c56a07cf5c445e775ab5a7c787ef On Sat, Aug 19, 2017 at 6:34 AM, Francisco Blas Izquierdo Riera (klondike) wrote: > El 19/08/17 a las 13:18, Aaron W. Swenson escribi=C3=B3: >> On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote: >>> El 19/08/17 a las 12:37, Aaron W. Swenson escribi=C3=B3: >>>> On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote: >>>>> Hi! >>>>> >>>>> I'd like to get this one up by Saturday so that we can proceed with >>>>> masking and removing of the hardened-sources after upstream stopped >>>>> releasing new patches. >>>> I hope I=E2=80=99m not too late. >>>> >>>>> We'd like to note that all the userspace hardening and MAC support >>>>> for SELinux provided by Gentoo Hardened will still remain there and >>>>> is unaffected by this removal. >>>> Where is there? I think you=E2=80=99re talking about the packages, but= the news >>>> item is about the kernels. It would help to be more specific here. >>>> >>>> That=E2=80=99s all I had that the others hadn=E2=80=99t touched on. >>> Do you think something like that is better then? >>> >>> We'd like to note that all the userspace hardening and MAC support >>> for SELinux provided by Gentoo Hardened will still remain available >>> on the portage. Keep in mind though that the security provided by >>> these features will be weakened a bit when using >>> sys-kernel/gentoo-sources. Also, all PaX related packages other than >>> the hardened-sources will remain available for the time being. >>> >>> >> Much better. We should mention that we=E2=80=99re specifically discussin= g >> packages and not portage itself. At least, that=E2=80=99s my understandi= ng from >> your edit. >> >> Here=E2=80=99s my take on it: >> >> We'd like to note that all the userspace hardening and MAC support for >> SELinux provided by Gentoo Hardened will still remain in the packages >> found in portage. Keep in mind, though, that the security provided by >> these features will be weakened a bit when using >> sys-kernel/gentoo-sources. Also, all PaX related packages, except >> sys-kernel/hardened-sources, will remain available for the time being. > > I updated the news item with your propossal. Thanks a lot :) > The discussion is nice but no one has actually touched on the technical merits of removing the packages besides "they are old." There's plenty of old software in portage. Why not remove it first? I had a similar issue with the GCC developer who removed GCJ support. I asked him for any justification at all for the removal and he had none but some vague statements about it creating work. I would have taken any more specific example he gave at face value, but he didn't want to give one. I was left to conclude he didn't have one to give. So I ask again: On what basis are the hardened sources being removed from the tree? At this point I am far less interested in making sure the sources stay in the tree than I am in forcing you to justify your actions, because I suspect your attempt to do so will be entertaining. R0b0t1.