Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

["Francisco Blas Izquierdo Riera (klondike)" <klondike@gentoo.org>]

[-- Attachment #1.1.1: Type: text/plain, Size: 835 bytes --]

El 16/08/17 a las 09:40, Marek Szuba escribió:
> Two tiny bits of formal nitpicking from my side:
>  - it's "grsecurity" (not a typo, they do use a lowercase g except when
> the name appears at the beginning of a sentence), not "grsec";
>  - the patches were not *distributed by* grsecurity, they *are*
> grsecurity. The vendor's name is Open Source Security, Inc.

Nowadays it is, but this hasn't always been the case. You'll notice the
presence of a /dev/grsec and you'll also find grsec referenced accross
some old patches. Anyways I changed it.

The same applies to Open Source Security, Inc. the company was founded
on 2008 but grsecurity has been around for much longer. That's why I
prefer to refer to Brad Spengler and The PaX team here as they are still
the real upstream behind Open Source Security, Inc.



[-- Attachment #1.1.2: 2017-08-19-hardened-sources-removal.en.txt --]
[-- Type: text/plain, Size: 2320 bytes --]

Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
Posted: 2017-08-19
Revision: 4
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Profile: hardened/linux/*

As you may know the core of sys-kernel/hardened-sources have been the
grsecuirty patches.

Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].

As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove them from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the stable
4.9 branch of the kernel; minipli, another grsecurity user, is forward
porting the patches on [3].

Strcat from Copperhead OS is making his own version of the patches
forward ported to the latest version of the Linux tree at [4].

The Gentoo Hardened team can't make any statement regarding the
security, reliability or update availability of either those patches
as we aren't providing them and can't therefore make any
recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal. Also, all PaX related packages other
than the hardened-sources will remain for the time being.

[1] https://grsecurity.net/passing_the_baton.php
[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
hardened-sources-kernel.html
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]