[gentoo-hardened] Meeting log 2010-10-27 22:00 UTC

[gentoo-hardened] Meeting log 2010-10-27 22:00 UTC

[Magnus Granberg]

[-- Attachment #1: Type: Text/Plain, Size: 125 bytes --]

Hi

Log from the hardened project meeting.
Date 2010-10-27
Time 22:00 UTC

/Zorry  blueness Chainsaw klondike quantumsummers

[-- Attachment #2: meeting-2010-10-27_22:00UTC.log --]
[-- Type: text/x-log, Size: 21336 bytes --]

[00:00:43] <Zorry> 1.0 Toolchain
[00:01:10] <Zorry> gcc 4.4.4-r2 is stable on x86 and amd64
[00:01:18] <quantumsummers|a> yay
[00:01:35] <Zorry> waiting on the rest arch to be stable 
[00:01:42] <klondike> congrats
[00:01:48] <Zorry> so SSP is back in stable GCC :)
[00:01:56] <quantumsummers|a> ah, I now have an arm vm, I will test in there soon
[00:02:09] <quantumsummers|a> need to make a hardened arm vm, I suppose
[00:02:19] <quantumsummers|a> kvm (on hardened) FTW
[00:02:36] <Zorry> 4.5.1 have some gcc miss compile error on patch
[00:02:59] <Chainsaw> 4.4.4-r2 has been a success on the production server I rolled it out on (emerge -e world, including kernel)
[00:03:10] <quantumsummers|a> same here, for quite awhile now
[00:03:46] <Zorry> and i will mark all gcc .3.X bugs wontfix if it works on 4.4.4-r2
[00:03:47] <blueness> Chainsaw, ditto here
[00:03:52] <blueness> HP DL 385
[00:03:58] <Chainsaw> Zorry: Fully agreed on that policy.
[00:04:03] <Chainsaw> blueness: DL370 G6 :)
[00:04:15] <quantumsummers|a> Zorry: +1 on wontfix for 3.4.6
[00:04:29] <klondike> +1 on wontfix
[00:04:32] <Chainsaw> Even the kernel is likely to drop 3.X support soon.
[00:04:42] <Zorry> on glibc still waiting for the sigaction fix
[00:05:04] <Zorry> don't have any more on toolchain
[00:05:17] <Zorry> any else?
[00:05:23] <Chainsaw> http://lkml.org/lkml/2010/10/26/147
[00:05:55] <blueness> follow up on Chainsaw, I already closed some bugs wontfix long ago regarding kernel and 3.4.6
[00:06:01] <Zorry> quantumsummers|a: do you have some time to make some news on the fist page?
[00:06:05] <blueness> upstream was not interested in fixing
[00:06:15] <Chainsaw> blueness: *nod*
[00:06:23] <Zorry> quantumsummers|a: about the gcc stuff?
[00:06:37] <quantumsummers|a> Zorry: I am not sure PR will like it, but I will write something & pass it to them.
[00:07:24] <Zorry> quantumsummers|a: k np if thay dont we have the news on hardened ml :)
[00:07:28] <blueness> quantumsummers|a, remind PR that gentoo is well known for its hardening, we're one of the best distros for this
[00:07:35] <klondike> Zorry: I can add a section to hardened project page with the new if necessary.
[00:07:53] <klondike> A bit orthodox bu doable
[00:07:54] <quantumsummers|a> I'll start now. I have a fairly sizable production deployment happening right now, so it'll take a few mins, in between beating the old goat, etc
[00:07:58] <quantumsummers|a> blueness fine point
[00:09:14] <Zorry> next ?
[00:09:22] <Chainsaw> Yes, let's keep it moving.
[00:09:32] <Zorry> 2.0 Kernel
[00:09:52] <Zorry> blueness: talk
[00:09:57] <Chainsaw> 2.6.34-hardened-r6 currently stable; on three production servers so far.
[00:10:10] <blueness> okay, mostly i've been keeping afloat, there were two major local root exploits
[00:10:47] <quantumsummers|a> 2.6.32 is good, and 2.6.35 is good (on hardware and as guests)
[00:10:48] <Chainsaw> Thankfully completely unaffected by the first on AMD64. It was mitigated so many ways.
[00:11:02] <blueness> i've been working with mpagano_ to try to establish better stabilization policies for when criticla exploits are found in ther kernel
[00:11:07] <Chainsaw> (IA32 off, no symbols, uderef...)
[00:11:08] <blueness> for faster turn around
[00:11:11] <quantumsummers|a> blueness: nice
[00:11:52] <Chainsaw> To enable faster turn around I have given mpagano my blessing to stable AMD64 kernels where he sees fit (and sign my name for herd approval).
[00:12:06] <Zorry> good
[00:12:09] <blueness> i've got an agreement with ppc64 and ppc to do stabilization, and i think i'll formalize it for x86 and x86_64 because when these exploits come up we need to act quickly ... in fact we were criticised fro the slow response the first time
[00:12:09] <Chainsaw> I would like to suggest that mpagano tests hardened and blueness tests non-hardened.
[00:12:23] <Chainsaw> Just to have another set of eyes on it.
[00:12:35] <blueness> Chainsaw, good idea, i do anyhow, but i think we can formalize this
[00:12:50] <blueness> the current state is this:
[00:13:17] <blueness> 2.6.32-r9 is stable on x86, amd64 and ppc64, it will not stabilize on ppc, others arches have skipped stabilization
[00:13:38] <blueness> 2.6.32-r18 was fast track stabilized on amd64, but is gone now because it had an RDS exploit
[00:13:54] <blueness> currently 2.6.32-r22 is stable on amd64 and x86, i'm working on ppc64 and ppc
[00:14:21] <blueness> 2.6.35-r4 and -r5 cannot be stabilized yet because of a bug in the vanilla kernel regarding dhpc
[00:14:35] <blueness> it will be stabilized once baselayout-2 is stabilized
[00:14:49] <klondike> blueness: can you say the bug #?
[00:15:03] <blueness> for which one?
[00:15:08] <klondike> for dhcp
[00:15:34] <blueness> i don't have it handy, i'll get it while we go on with the meeting because i'm done with kernle stuff
[00:15:49] <klondike> ok
[00:16:12] <Zorry> okay next then
[00:16:14] <blueness> Zorry, move on if there are no more kernel issues?
[00:16:35] <Zorry> 3.0 Profile
[00:17:18] <blueness> heh, i guess i should say what i've done with profiles
[00:17:24] <blueness> >nothing<
[00:17:36] <Zorry> will change some stuff for the pic use-flag for amd64 in some packages
[00:18:01] <Zorry> for we don't need to disable asm code some some packages
[00:18:43] <blueness> klondike, bug #334341
[00:18:46] <willikins> blueness: https://bugs.gentoo.org/334341 "Please mark =sys-kernel/gentoo-sources-2.6.35-r4 and =sys-kernel/vanilla-sources-2.6.35.3 stable"; Gentoo Linux, Ebuilds; NEW; mpagano@g.o:kernel@g.o
[00:19:01] <Zorry> will try to see if we can remove the pic defaul on in the amd64 hardened profile
[00:19:08] <klondike> thanks blueness :D
[00:19:28] <Zorry> else i haven't done any thing
[00:19:43] <blueness> Zorry, why are you removingthe pic default on amd64?
[00:20:15] <Zorry> blueness: the pic disabled the asm code but most asm code on amd64 is pic freindly
[00:20:40] <Zorry> runing mesa with ful asm code
[00:20:41] <blueness> ah okay
[00:20:46] <blueness> right i remember that now
[00:21:12] <blueness> i have only one thing to add about profiles
[00:21:35] <blueness> about 3 months ago we discussed switching the profiles so that the /10.0/ was removed
[00:21:51] <blueness> that work is still up on the hardened-dev overlay, but i haven't looked at it in months
[00:22:15] <blueness> at that time we decided to not make the move until after the stabilization of gcc-4.4.4
[00:22:33] <blueness> so now, do we want to go ahead and change to the new profile structure for hardened?
[00:22:59] <Chainsaw> I do believe the 10.0 adds nothing for us.
[00:23:06] <Chainsaw> It would look a lot better to have it gone.
[00:23:12] <klondike> Maybe we should wait a bit to do so
[00:23:24] <Chainsaw> klondike: The heavy lifting is done.
[00:23:36] <Chainsaw> klondike: This is mostly about careful testing before unleashing it.
[00:23:37] <klondike> Chainsaw: it's beeen tested?
[00:23:45] <blueness> Chainsaw, exactly, all i did was just move all the profile up a level removing the 10.0 directory
[00:23:54] <Chainsaw> klondike: Yes.
[00:24:08] <klondike> then I see no problem
[00:24:08] <blueness> gengor started that work, but left it for a long time so it needed to be rebased against the current state of the profiles
[00:24:40] <blueness> i could rebase again and test on x86, amd64, ppc64 and ppc
[00:24:51] <Zorry> blueness: if we don't have any major bugs we should start to do it
[00:25:05] <blueness> basically i just do a mount --bind of the hardened profiles from the overlay to partage and see if anything changes
[00:25:12] <Zorry> start with amd64
[00:25:21] <quantumsummers|a> hey, that's a good trick blueness
[00:25:56] <quantumsummers|a> now that I finally have a decent test bed, I might try that, if you guys think it beneficial
[00:26:07] <blueness> okay let me start on amd64, then we'll send out a message about the change
[00:26:34] <blueness> what steps should we take to announce it?  discuss it on -dev first
[00:27:20] <Chainsaw> Some bikeshedding might result, but it's polite to pre-announce and leave a few days.
[00:28:04] <klondike> Not sure, but can the old and the new profiles live along for some time?
[00:28:16] <Zorry> yes it can
[00:28:18] <blueness> Chainsaw, yeah that's was your suggestion last time too
[00:28:42] <blueness> klondike, yes, there is a special file that you leave in the old profile dir that says its deprecated
[00:28:43] -*- Chainsaw changes the record
[00:28:58] -*- klondike thinks that if they can live along we do as we did last time
[00:29:01] <blueness> then if you point make.profile to a depricated profile, you get warned
[00:29:50] <blueness> last thing, i a bit *afraid* of committing to the profiles, so if we could do that together, ie someon watch that i don't break everything, i'd appreciate it
[00:29:57] <blueness> when the time comes
[00:30:04] <Chainsaw> Sure :)
[00:30:08] <Zorry> sure
[00:30:11] <blueness> thanks :)
[00:30:52] <blueness> the first time i commit to package.mask, i accidentally wiped out the UTF-8 encoding on the Changelog ... ssuosis saved me!
[00:31:12] <klondike> All I can do is give cheers and keep the fingers warn to write docs blueness :(
[00:31:15] <blueness> anyhow .... i'm done
[00:31:40] <Zorry> next?
[00:31:44] <blueness> ye
[00:31:45] <blueness> yes
[00:31:51] <klondike> 4.0
[00:31:54] <klondike> docs
[00:32:12] <Zorry> 4.1 the main page
[00:32:19] <Zorry> klondike: talk
[00:32:22] <klondike> ok
[00:32:25] <quantumsummers|a> lol
[00:32:45] <klondike> I have been spending some time getting familiar with guideXML and gorg
[00:33:08] <klondike> as a result I have been able to update the main webpage
[00:33:27] <klondike> and thanks to quantumsummers|awe now have a nice repo for docs which must be reviewed
[00:33:35] <klondike> So we should vote on 2 things
[00:34:00] <klondike> First one if the new main page is ready to be changed or still needs more care
[00:34:14] <quantumsummers|a> klondike: links to view?
[00:34:28] <klondike> Model 1: http://193.11.232.165:8008/proj/en/hardened/
[00:34:37] <klondike> Model 2: http://193.11.232.165:8008/proj/en/hardened/index2.xml
[00:35:24] <quantumsummers|a> I think the herd members can be edited
[00:35:26] <klondike> If we go for Model 2 we should move the rest of the subprojects to their own webpage, it isn't a big fuzz anyway and would make things way more structured
[00:35:55] <klondike> It can also help use keep track there of the task pending from the meetings
[00:36:01] <klondike> *tasks
[00:36:28] <klondike> So well, first, is the new frontpage mature enough to be changed?
[00:36:37] <quantumsummers|a> we could do something similar to the foundation meeting pages, where we have the raw logs, and any motions/important things in their own table
[00:37:27] <quantumsummers|a> klondike: I think its good for now, and we can mess with it further as needed
[00:37:32] <klondike> quantumsummers|a: for me is no problem preparing a log formater and sanitizer
[00:38:08] <quantumsummers|a> we need someone to be able to commit them to the www cvs repo also, I suspect someone around here can do that
[00:38:10] <Zorry> if we start with model1 and go from there
[00:38:28] <Chainsaw> Do you need full names?
[00:38:39] <Chainsaw> The first column looks a bit weird empty.
[00:38:44] <quantumsummers|a> Chainsaw: yepper, we should have them on there
[00:38:46] <klondike> Chainsaw: they will be filled when published on the www automatically
[00:38:50] <blueness> klondike, i think model 1 is fine
[00:38:53] <klondike> its a bug on gorg
[00:39:01] <Chainsaw> Ah, an undocumented feature. Okay.
[00:39:50] <blueness> just one question about the division of the subprojects, it is fuzzy because i don't know if it makes much sense to distinguish Pax/GRSEC from hardened sources
[00:39:56] <klondike> (has been reported as bug 342569 )
[00:40:00] <willikins> klondike: https://bugs.gentoo.org/342569 "www-servers/gorg won't try to add developer names on project xml pages"; Gentoo Linux, Applications; NEW; franxisco1988@mixmail.com:ramereth@g.o
[00:40:23] <quantumsummers|a> blueness I agree, there is no clear line of demarcation there
[00:40:58] <blueness> quantumsummers|a, the two emphasis different aspects, but they're closely related
[00:41:10] <klondike> That's also true
[00:41:46] <klondike> but for example toolchain is just barely related to hardened-sources and pax/grsec
[00:42:03] <blueness> anyhow, i don't have a strong feeling about it, just think about it if something more meaningfull occurs to you klondike
[00:42:07] <quantumsummers|a> Yes, now that I consider it further, Pax/Grsec represent more than simply the kernel patches
[00:42:17] <blueness> yes
[00:42:21] <quantumsummers|a> i.e. paxutils, gradm, etc
[00:42:24] <blueness> eg gradm
[00:42:25] <klondike> And having their documentations well differentiated could help newbies
[00:42:26] <blueness> right
[00:42:30] <quantumsummers|a> double right
[00:42:45] <quantumsummers|a> treble clef?
[00:42:47] <quantumsummers|a> :D
[00:42:51] <blueness> ++1
[00:42:57] <blueness> 1++
[00:42:59] <quantumsummers|a> oooo, auto-increment
[00:43:05] <blueness> okay enough siliness
[00:43:16] <quantumsummers|a> fine :|
[00:43:24] <klondike> so then let's decide
[00:43:37] <Zorry> go for model 1 or 2 ?
[00:43:39] <blueness> klondike, i think leave it for the reasons stated above
[00:43:41] <blueness> oh
[00:43:49] <quantumsummers|a> Motion: approve model 1 prepared by klondike (with edit to herd)
[00:43:58] <quantumsummers|a> Vote please
[00:43:58] <blueness> second
[00:44:01] <Chainsaw> In favour.
[00:44:07] <blueness> aye
[00:44:08] <quantumsummers|a> aye
[00:44:09] <klondike> abstention
[00:44:15] <quantumsummers|a> Zorry: ?
[00:44:27] <Zorry> yes for model 1
[00:44:30] <quantumsummers|a> carried
[00:44:32] <Chainsaw> Unanimous.
[00:44:43] <Chainsaw> Ah, almost.
[00:44:51] <klondike> Unanimous :P
[00:45:00] <klondike> I just can't vote one or the other
[00:45:02] <Chainsaw> No, klondike was being difficult.
[00:45:05] <quantumsummers|a> very nice work klondike, you have our thanks
[00:45:13] <Chainsaw> Anyhow, what's next Zorry.
[00:45:24] <Chainsaw> Yes, it looks good :)
[00:45:32] <blueness> yeah thanks klondike i hate writing docs
[00:45:37] <Zorry> +1
[00:45:40] <quantumsummers|a> klondike, I believe, has other docs related material to discuss
[00:45:53] -*- Chainsaw hands the microphone to klondike 
[00:45:54] <klondike> yes
[00:46:03] -*- quantumsummers|a turns it up to 11
[00:46:03] <Zorry> we still need alot of more work
[00:46:18] <Zorry> but we take page by page 
[00:46:45] <klondike> I have been also fixing the faq and created a small debugging guide which was based on the faq original content
[00:47:05] <klondike> Also formated the FAQ properly according to the Guide XML docs
[00:47:07] <blueness> oh i should add that i wrote a partial doc on virtualization and hardening, its on icoalesce and will put it on hardened-docs
[00:47:25] <quantumsummers|a> works well, that guide
[00:47:27] <klondike> blueness: I'll xmlify it if you need :D
[00:47:33] <quantumsummers|a> do it
[00:47:58] <klondike> Ok I'll have it done by next week of nothing bad happens
[00:47:59] <blueness> klondike, sure, go ahead and grab it and put it up yourself after xml-ify
[00:48:21] <klondike> Anyway there is two small issue to discuss
[00:48:29] <klondike> First one is licenses
[00:48:34] <Zorry> i have soem docs to but it need alot more works (the new piepatch for >4.3)
[00:49:09] <klondike> according to guidelines our docs need to have CC-BY-Sa 2.5 licenses
[00:49:15] <quantumsummers|a> yes
[00:49:39] <klondike> What I don't know is what to do with the older ones.
[00:50:06] <quantumsummers|a> klondike: which ones specifically?
[00:50:13] <klondike> Fo example the FAQ had no licenses so legally that means all rights reserved
[00:50:39] <klondike> but actually all the docs on hardened have either old CC licenses or no license at all
[00:51:35] <quantumsummers|a> hmm, I'll bring this up at the next trustees meeting
[00:51:42] <quantumsummers|a> don't do nuthin
[00:51:45] <klondike> thanks quantumsummers|a :D
[00:51:49] <quantumsummers|a> til ya hear back from me
[00:51:53] <quantumsummers|a> np klondike
[00:52:24] <klondike> There is one more thing
[00:52:26] <blueness> heh, i would never have thought of the licensing issue, but i guess we can't just change them to CC without possibly infringing
[00:53:03] <klondike> I need the hardened wiki faq to merge it with my version before propossing uploading
[00:53:33] <Zorry> quantumsummers|a: did you get the docs ^^
[00:53:41] <klondike> And also we should seiorusly think on putting some order in the doc distribution
[00:54:10] <Zorry> quantumsummers|a:  or do we need start over?
[00:54:31] <Honoome> blah
[00:54:45] -*- Honoome needs to get his laptop out ? four keyboards on a friggin' desk?!
[00:54:53] <klondike> For last thing I'll try writting a proposal for next meeting, but I need some support on that from somebody like swift, I don't know policies on reorganizing documents
[00:55:01] <Zorry> klondike: a order would be good
[00:55:15] <quantumsummers|a> Zorry: I am in , and gonna scp the db, which I will then manually extract our docs
[00:55:26] <Honoome> klondike: are you talking /doc/ or /proj/?
[00:55:29] <Zorry> quantumsummers|a: good :=
[00:55:56] <klondike> Honoome: doc, the  subprojects thing has been rejected in favour of current order
[00:56:09] <Honoome> klondike: you better talk with nightmorph then
[00:56:14] <Honoome> he's been the one-man-doc-team lately
[00:56:25] <klondike> anyway I'll try using subproject pages for that if the hardened people doesn't mind
[00:56:35] <klondike> (and metadoc xml)
[00:56:58] <Zorry> try it 
[00:57:15] <klondike> Ok will do
[00:57:31] <Honoome> klondike: you're used to gorg already?
[00:57:38] <klondike> Honoome: mostly
[00:57:49] <klondike> at least can generate docs and run the server
[00:57:58] <klondike> And write project pages and Guides :D
[00:58:22] <quantumsummers|a> Zorry: ok, I have it. Time to try to crack it open and get something meaningful :D
[00:58:31] <Honoome> k :) just wondering because most people dislike that stuff like diseases
[00:58:45] <blueness> Honoome, solar once showed me a way to turn of the markup so you can see the raw xml on a gorg page.  do you remember how to do that?
[00:58:55] <blueness> something like ... .xml?passthrough=1
[00:58:58] <klondike> blueness: ?passthru=1
[00:59:20] <Honoome> blueness: what klondike said :P
[00:59:22] <Chainsaw> (Even though passthrough is the correct spelling and passthru is not. Sigh.)
[00:59:35] <Honoome> Chainsaw: I do think it was intended
[01:00:00] <Chainsaw> Honoome: Fine. If U say so.
[01:00:17] <klondike> Well I suppose this closes the doc thing, for the debugging  doc I'll add the guy who did all the investigation on the bugs as contributor to the doc and for the faq need the wiki page to do some magic
[01:00:28] <Honoome> Chainsaw: no need to make me cringe here! :P I didn't decide it!
[01:00:29] <klondike> If anybody has something to say?
[01:01:19] <Zorry> next?
[01:01:24] <blueness> yes
[01:01:37] <klondike> ok
[01:01:44] <Zorry> 5.0 bugs
[01:01:57] <Zorry> do we have anu bugs to disscuse?
[01:02:08] <Zorry> s/anu/any/
[01:02:23] <blueness> well just one that i'd like people to try and comment on
[01:02:32] <Honoome> Zorry: the strict overflow thing somebody has to report upstream
[01:03:01] <blueness> I can't reproduce #340801.  its open against gradm-2.2.0 and i want to stabilize that for the new kernels
[01:03:03] <Zorry> Honoome: Halcy0n will take a look on it
[01:03:22] <blueness> so i just one to solicit some testing and comments on that bug so i know if its legit or not
[01:03:40] <klondike> !bug 340801
[01:03:46] <willikins> klondike: https://bugs.gentoo.org/340801 "sys-apps/gradm-2.2.0.201009022049 segmentation fault startup "gradm -E""; Gentoo Linux, Hardened; NEW; testest82@mail.ru:hardened-kernel@g.o
[01:04:03] <Honoome> Zorry: I'd suggest somebody open it upstream nonetheless, Mark's timing can be.. difficult to work with sometimes
[01:04:25] <klondike> blueness: maybe he has the same memory problems I did
[01:04:35] <klondike> I'd suggest trying -r5
[01:04:52] <Zorry> Honoome: okay will try to bug it upstream
[01:05:06] <klondike> And compile gradm -O0 JIC
[01:06:13] <blueness> Zorry, can you give me the history on the strict-overflow, its not just in the current compilre, right, that problem is there in 4.3.4?
[01:06:44] <Honoome> blueness: the bug is non-hardened specific, happens with 4.5 even from the tip of the current branch
[01:06:44] <Zorry> blueness: the prob is only in gcc 4.5.1
[01:06:59] <blueness> k
[01:07:17] <blueness> i'm surprised upstream doesn't know about it yet
[01:07:44] <Honoome> don't be, gcc compile problems often lie around for a very long time before being found
[01:08:03] <Honoome> [there is a reason why FFmpeg calls it a random code generator]
[01:08:12] <blueness> heh
[01:08:44] <Zorry> coud we get a gdb bt form the gradm?
[01:09:11] <blueness> he's got an strace, which doesn't say much
[01:09:20] <blueness> but yeah, a bt would be good
[01:10:38] <blueness> anything else?
[01:10:47] <Zorry> nope
[01:11:03] <Zorry> next?
[01:11:11] <blueness> sure
[01:11:21] <Zorry> 6.0 open for users