* [gentoo-dev] News Item: Future Support of hardened-sources Kernel
@ 2015-10-19 1:36 Anthony G. Basile
2015-10-20 8:23 ` Daniel Campbell
0 siblings, 1 reply; 6+ messages in thread
From: Anthony G. Basile @ 2015-10-19 1:36 UTC (permalink / raw
To: Gentoo Development
Hi everyone, for your consideration:
Title: Future Support of hardened-sources Kernel
Content-Type: text/plain
Posted: 2015-10-21
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Keyword: hardened
Display-If-Keyword: pax_kernel
Display-If-Profile: hardened/linux/amd64
Display-If-Profile: hardened/linux/amd64/no-multilib
Display-If-Profile: hardened/linux/amd64/no-multilib/selinux
Display-If-Profile: hardened/linux/amd64/selinux
Display-If-Profile: hardened/linux/amd64/x32
Display-If-Profile: hardened/linux/arm/armv6j
Display-If-Profile: hardened/linux/arm/armv7a
Display-If-Profile: hardened/linux/ia64
Display-If-Profile: hardened/linux/musl/amd64
Display-If-Profile: hardened/linux/musl/amd64/x32
Display-If-Profile: hardened/linux/musl/arm/armv7a
Display-If-Profile: hardened/linux/musl/mips
Display-If-Profile: hardened/linux/musl/mips/mipsel
Display-If-Profile: hardened/linux/musl/ppc
Display-If-Profile: hardened/linux/musl/x86
Display-If-Profile: hardened/linux/powerpc/ppc32
Display-If-Profile: hardened/linux/powerpc/ppc64/32bit-userland
Display-If-Profile: hardened/linux/powerpc/ppc64/64bit-userland
Display-If-Profile: hardened/linux/uclibc/amd64
Display-If-Profile: hardened/linux/uclibc/arm/armv7a
Display-If-Profile: hardened/linux/uclibc/mips
Display-If-Profile: hardened/linux/uclibc/mips/mipsel
Display-If-Profile: hardened/linux/uclibc/ppc
Display-If-Profile: hardened/linux/uclibc/x86
Display-If-Profile: hardened/linux/x86
Display-If-Profile: hardened/linux/x86/selinux
For many years, the Grsecurity team [1] has been supporting two versions of
their security patches against the Linux kernel, a stable and a testing
version, and Gentoo has made both of these available to our users
through the
hardened-sources package. However, on August 26 of this year, the team
announced they would no longer be making the stable version publicly
available, citing trademark infringement by a major embedded systems company
as the reason. [2] The stable patches are now only available to sponsors of
Grsecurity and can no longer be distributed in Gentoo. However, the
team did
assure us that they would continue to release and support the testing
version
as they have in the past.
What does this means for users of hardened-sources? Gentoo will continue to
make the testing version available through our hardened-sources package
but we
will have to drop support for the 3.x series. In a few days, those ebuilds
will be removed from the tree and you will be required to upgrade to a 4.x
series kernel. Since the hardened-sources package only installs the kernel
source tree, you can continue using a currently built 3.x series kernel but
bear in mind that we cannot support you, nor will upstream. Also keep
in mind
that the 4.x series will not be as reliable as the 3.x series was, so
reporting bugs promptly will be even more important. Gentoo will
continue to
work closely with upstream to stay on top of any problems, but be
prepared for
the occasional "bad" kernel. The more reporting we receive from our users,
the better we will be able to decide which hardened-sources kernels to mark
stable and which to drop.
Refs.
[1] https://grsecurity.net
[2] https://grsecurity.net/announce.php
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel
2015-10-19 1:36 [gentoo-dev] News Item: Future Support of hardened-sources Kernel Anthony G. Basile
@ 2015-10-20 8:23 ` Daniel Campbell
2015-10-20 8:45 ` Rich Freeman
2015-10-20 9:21 ` [gentoo-dev] " Anthony G. Basile
0 siblings, 2 replies; 6+ messages in thread
From: Daniel Campbell @ 2015-10-20 8:23 UTC (permalink / raw
To: gentoo-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 10/18/2015 06:36 PM, Anthony G. Basile wrote:
> Hi everyone, for your consideration:
>
> Title: Future Support of hardened-sources Kernel Content-Type:
> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0
> Display-If-Installed: sys-kernel/hardened-sources
> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel
> Display-If-Profile: hardened/linux/amd64 Display-If-Profile:
> hardened/linux/amd64/no-multilib Display-If-Profile:
> hardened/linux/amd64/no-multilib/selinux Display-If-Profile:
> hardened/linux/amd64/selinux Display-If-Profile:
> hardened/linux/amd64/x32 Display-If-Profile:
> hardened/linux/arm/armv6j Display-If-Profile:
> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64
> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile:
> hardened/linux/musl/amd64/x32 Display-If-Profile:
> hardened/linux/musl/arm/armv7a Display-If-Profile:
> hardened/linux/musl/mips Display-If-Profile:
> hardened/linux/musl/mips/mipsel Display-If-Profile:
> hardened/linux/musl/ppc Display-If-Profile:
> hardened/linux/musl/x86 Display-If-Profile:
> hardened/linux/powerpc/ppc32 Display-If-Profile:
> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile:
> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile:
> hardened/linux/uclibc/amd64 Display-If-Profile:
> hardened/linux/uclibc/arm/armv7a Display-If-Profile:
> hardened/linux/uclibc/mips Display-If-Profile:
> hardened/linux/uclibc/mips/mipsel Display-If-Profile:
> hardened/linux/uclibc/ppc Display-If-Profile:
> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86
> Display-If-Profile: hardened/linux/x86/selinux
>
> For many years, the Grsecurity team [1] has been supporting two
> versions of their security patches against the Linux kernel, a
> stable and a testing version, and Gentoo has made both of these
> available to our users through the hardened-sources package.
> However, on August 26 of this year, the team announced they would
> no longer be making the stable version publicly available, citing
> trademark infringement by a major embedded systems company as the
> reason. [2] The stable patches are now only available to sponsors
> of Grsecurity and can no longer be distributed in Gentoo. However,
> the team did assure us that they would continue to release and
> support the testing version as they have in the past.
>
> What does this means for users of hardened-sources? Gentoo will
> continue to make the testing version available through our
> hardened-sources package but we will have to drop support for the
> 3.x series. In a few days, those ebuilds will be removed from the
> tree and you will be required to upgrade to a 4.x series kernel.
> Since the hardened-sources package only installs the kernel source
> tree, you can continue using a currently built 3.x series kernel
> but bear in mind that we cannot support you, nor will upstream.
> Also keep in mind that the 4.x series will not be as reliable as
> the 3.x series was, so reporting bugs promptly will be even more
> important. Gentoo will continue to work closely with upstream to
> stay on top of any problems, but be prepared for the occasional
> "bad" kernel. The more reporting we receive from our users, the
> better we will be able to decide which hardened-sources kernels to
> mark stable and which to drop.
>
> Refs. [1] https://grsecurity.net [2]
> https://grsecurity.net/announce.php
>
Looks like a good write-up to me. Concise and clear, with the URL for
those who care enough about the fiasco.
However, does this mean the hardened kernel package must stay in ~arch
since it's technically the testing version? Or would we keyword it
based on our own findings of stability?
- --
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWJfnzAAoJEAEkDpRQOeFwr/4QAM7tug2y/HtbXtBGbIzAiDQ9
nDHBxIvuSl949oojTxl+x0GqkskOu77VIj1baCXmoxO2sOwCZfwksdDFjU7cPrNr
vjoIxBmefgz6FBeJxJaVMiMPVR7MC+ZHcLmBoP6LShmBPpEchY0kf2+JQmaWydU4
bDHmVxA+H0fNhUuXxGdD4xMvvSZShWm3uGnSZy1D9llJ587xHO9XlEkQdbiypGuC
S8g1gJw96Vtynmy90shrTYrYkKdOxMUyV4HX7Wsb88IT3dURDFGXSuhy9/B2jLt0
3LmMiOeLzblIqiqxOxuhre+yB6mA9mkcTjG/M1nKKd1fHS4/l48clvVLpEMZRUSl
oE0Ex2+eU/u4YjrDdRCErhhh4RvDkNOW43+1wblhCUoTd9WcpHc/74KdvI4oPgu4
Xe7HeVE7Xo/FT21kZvhuw4VRkerKAT+KITNCtRcp5mfXp4dnr4UonE+Vd39Ul4/v
e2bkZKHbJI+uq4VBFNXnBKp7Pw/RewGm3PpkU8YrRQwI/AS1kHirP+/aWhnx2uHV
WLJxBXw/kBNNKwGANPJQ2/ip4CXUILbJzTnmLxvlYt+61DE/K3CNlN4lPbidK/xR
SU55y8COMFdDAtWUzEUXldh340Ob5KWRk00v0O+oarqj1oVfACsM44lWSYrNAZQs
8EkcfKsY6lmHbsr9B5I1
=2Z3x
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel
2015-10-20 8:23 ` Daniel Campbell
@ 2015-10-20 8:45 ` Rich Freeman
2015-10-20 9:34 ` Anthony G. Basile
2015-10-20 9:21 ` [gentoo-dev] " Anthony G. Basile
1 sibling, 1 reply; 6+ messages in thread
From: Rich Freeman @ 2015-10-20 8:45 UTC (permalink / raw
To: gentoo-dev
On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbell <zlg@gentoo.org> wrote:
> However, does this mean the hardened kernel package must stay in ~arch
> since it's technically the testing version? Or would we keyword it
> based on our own findings of stability?
I'd recommend that the team does whatever adds the most value. If it
doesn't want to do QA on released versions then I suggest it all stay
as ~arch. If you're going to do your own QA I don't see why you can't
mark versions as stable - just make it clear to users what stable
means.
BTW, while they're only tracking the most recent stable branch of the
kernel, they ARE tracking a stable branch, and not mainline.
--
Rich
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel
2015-10-20 8:23 ` Daniel Campbell
2015-10-20 8:45 ` Rich Freeman
@ 2015-10-20 9:21 ` Anthony G. Basile
1 sibling, 0 replies; 6+ messages in thread
From: Anthony G. Basile @ 2015-10-20 9:21 UTC (permalink / raw
To: gentoo-dev
On 10/20/15 4:23 AM, Daniel Campbell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 10/18/2015 06:36 PM, Anthony G. Basile wrote:
>> Hi everyone, for your consideration:
>>
>> Title: Future Support of hardened-sources Kernel Content-Type:
>> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0
>> Display-If-Installed: sys-kernel/hardened-sources
>> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel
>> Display-If-Profile: hardened/linux/amd64 Display-If-Profile:
>> hardened/linux/amd64/no-multilib Display-If-Profile:
>> hardened/linux/amd64/no-multilib/selinux Display-If-Profile:
>> hardened/linux/amd64/selinux Display-If-Profile:
>> hardened/linux/amd64/x32 Display-If-Profile:
>> hardened/linux/arm/armv6j Display-If-Profile:
>> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64
>> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile:
>> hardened/linux/musl/amd64/x32 Display-If-Profile:
>> hardened/linux/musl/arm/armv7a Display-If-Profile:
>> hardened/linux/musl/mips Display-If-Profile:
>> hardened/linux/musl/mips/mipsel Display-If-Profile:
>> hardened/linux/musl/ppc Display-If-Profile:
>> hardened/linux/musl/x86 Display-If-Profile:
>> hardened/linux/powerpc/ppc32 Display-If-Profile:
>> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile:
>> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile:
>> hardened/linux/uclibc/amd64 Display-If-Profile:
>> hardened/linux/uclibc/arm/armv7a Display-If-Profile:
>> hardened/linux/uclibc/mips Display-If-Profile:
>> hardened/linux/uclibc/mips/mipsel Display-If-Profile:
>> hardened/linux/uclibc/ppc Display-If-Profile:
>> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86
>> Display-If-Profile: hardened/linux/x86/selinux
>>
>> For many years, the Grsecurity team [1] has been supporting two
>> versions of their security patches against the Linux kernel, a
>> stable and a testing version, and Gentoo has made both of these
>> available to our users through the hardened-sources package.
>> However, on August 26 of this year, the team announced they would
>> no longer be making the stable version publicly available, citing
>> trademark infringement by a major embedded systems company as the
>> reason. [2] The stable patches are now only available to sponsors
>> of Grsecurity and can no longer be distributed in Gentoo. However,
>> the team did assure us that they would continue to release and
>> support the testing version as they have in the past.
>>
>> What does this means for users of hardened-sources? Gentoo will
>> continue to make the testing version available through our
>> hardened-sources package but we will have to drop support for the
>> 3.x series. In a few days, those ebuilds will be removed from the
>> tree and you will be required to upgrade to a 4.x series kernel.
>> Since the hardened-sources package only installs the kernel source
>> tree, you can continue using a currently built 3.x series kernel
>> but bear in mind that we cannot support you, nor will upstream.
>> Also keep in mind that the 4.x series will not be as reliable as
>> the 3.x series was, so reporting bugs promptly will be even more
>> important. Gentoo will continue to work closely with upstream to
>> stay on top of any problems, but be prepared for the occasional
>> "bad" kernel. The more reporting we receive from our users, the
>> better we will be able to decide which hardened-sources kernels to
>> mark stable and which to drop.
>>
>> Refs. [1] https://grsecurity.net [2]
>> https://grsecurity.net/announce.php
>>
> Looks like a good write-up to me. Concise and clear, with the URL for
> those who care enough about the fiasco.
>
> However, does this mean the hardened kernel package must stay in ~arch
> since it's technically the testing version? Or would we keyword it
> based on our own findings of stability?
>
I will continue to mark the best amd64 and x86 versions as stable.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel
2015-10-20 8:45 ` Rich Freeman
@ 2015-10-20 9:34 ` Anthony G. Basile
2015-10-20 21:55 ` [gentoo-dev] " Duncan
0 siblings, 1 reply; 6+ messages in thread
From: Anthony G. Basile @ 2015-10-20 9:34 UTC (permalink / raw
To: gentoo-dev
On 10/20/15 4:45 AM, Rich Freeman wrote:
> On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbell <zlg@gentoo.org> wrote:
>> However, does this mean the hardened kernel package must stay in ~arch
>> since it's technically the testing version? Or would we keyword it
>> based on our own findings of stability?
> I'd recommend that the team does whatever adds the most value. If it
> doesn't want to do QA on released versions then I suggest it all stay
> as ~arch. If you're going to do your own QA I don't see why you can't
> mark versions as stable - just make it clear to users what stable
> means.
>
> BTW, while they're only tracking the most recent stable branch of the
> kernel, they ARE tracking a stable branch, and not mainline.
>
I have been marking hardened-sources based on the grsecurity testing
patches as stable since forever and will continue with the same
practice. "Testing" means they add new features there first and those
new features can break stuff. We identify breakage in bug reports and
hold back to versions that are known to work until upstream fixes the
broken features. It works pretty good in practices and most users of
hardened-sources already know this. What they may not know is that the
3.x is no longer public.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
^ permalink raw reply [flat|nested] 6+ messages in thread
* [gentoo-dev] Re: News Item: Future Support of hardened-sources Kernel
2015-10-20 9:34 ` Anthony G. Basile
@ 2015-10-20 21:55 ` Duncan
0 siblings, 0 replies; 6+ messages in thread
From: Duncan @ 2015-10-20 21:55 UTC (permalink / raw
To: gentoo-dev
Anthony G. Basile posted on Tue, 20 Oct 2015 05:34:33 -0400 as excerpted:
> On 10/20/15 4:45 AM, Rich Freeman wrote:
>> On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbell <zlg@gentoo.org>
>> wrote:
>>> However, does this mean the hardened kernel package must stay in ~arch
>>> since it's technically the testing version? Or would we keyword it
>>> based on our own findings of stability?
>> I'd recommend that the team does whatever adds the most value. If it
>> doesn't want to do QA on released versions then I suggest it all stay
>> as ~arch. If you're going to do your own QA I don't see why you can't
>> mark versions as stable - just make it clear to users what stable
>> means.
>>
>> BTW, while they're only tracking the most recent stable branch of the
>> kernel, they ARE tracking a stable branch, and not mainline.
>>
> I have been marking hardened-sources based on the grsecurity testing
> patches as stable since forever and will continue with the same
> practice. "Testing" means they add new features there first and those
> new features can break stuff. We identify breakage in bug reports and
> hold back to versions that are known to work until upstream fixes the
> broken features. It works pretty good in practices and most users of
> hardened-sources already know this. What they may not know is that the
> 3.x is no longer public.
And FWIW, ~arch vs stable in gentoo has always been relative not
necessarily to what upstream considers testing vs stable, but rather, to
the general stability of the ebuild (and patches, etc) specifically in
/gentoo/.
Of course there has been quite some maintainer leeway in that, and often
the maintainer will choose to follow upstream stability guidance when
choosing versions to stabilize, but that isn't necessarily the case.
Strictly speaking, it has /always/ been about gentoo-level, not upstream-
level, stability.
So particularly in cases like this where upstream official testing is all
that upstream makes available, any gentoo stable indicator must /clearly/
be based on gentoo-level stability, /maybe/ based partly on the opinions
of other distros shipping it, but obviously not based on upstream's
classification, since they don't even make a stable classified version
available to the general FLOSS community.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-10-20 21:55 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-19 1:36 [gentoo-dev] News Item: Future Support of hardened-sources Kernel Anthony G. Basile
2015-10-20 8:23 ` Daniel Campbell
2015-10-20 8:45 ` Rich Freeman
2015-10-20 9:34 ` Anthony G. Basile
2015-10-20 21:55 ` [gentoo-dev] " Duncan
2015-10-20 9:21 ` [gentoo-dev] " Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox