From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1POJ4P-0005Nn-2Y for garchives@archives.gentoo.org; Fri, 03 Dec 2010 00:00:13 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AAC53E019D; Thu, 2 Dec 2010 23:57:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4BFB5E019D for ; Thu, 2 Dec 2010 23:57:44 +0000 (UTC) Received: from laptop1.localnet (ip1-67.bon.riksnet.se [77.110.8.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: zorry) by smtp.gentoo.org (Postfix) with ESMTPSA id E77F21B4003; Thu, 2 Dec 2010 23:57:42 +0000 (UTC) From: Magnus Granberg Organization: Gentoo.org To: hardened-dev@gentoo.org, hardened-kernel@gentoo.org, hardened@gentoo.org, gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] Meeting 2010-12-01 20:00 UTC log Date: Fri, 3 Dec 2010 00:57:48 +0100 User-Agent: KMail/1.13.5 (Linux/2.6.36-hardened; KDE/4.4.5; x86_64; ; ) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_8JD+M76GS30xrvg" Message-Id: <201012030057.48626.zorry@gentoo.org> X-Archives-Salt: 3171338e-6748-4ae3-b7ae-3a31c0a10608 X-Archives-Hash: f0973b53278e2c27b7c7fe796e99e331 --Boundary-00=_8JD+M76GS30xrvg Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi Log from the meting 2010-12-01 20:00 UTC Hardened at Gentoo.org Magnus Granberg (Zorry) --Boundary-00=_8JD+M76GS30xrvg Content-Type: text/x-log; charset="ISO-8859-1"; name="meeting-2010-12-01_20:00UTC.log" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="meeting-2010-12-01_20:00UTC.log" [21:10:36] do we start the meeting without blueness? [21:10:49] we can skip kernel until he arrives [21:11:27] k [21:11:30] how about lets do 'docs' to start? [21:11:56] hmm, klondike is missing [21:11:56] Go for it. [21:12:37] klondike: hi [21:12:38] klondike: hey there [21:12:46] just in time, sir [21:12:54] Sorry for the delay [21:12:58] np [21:13:12] we take the docs fist [21:13:19] please, give us the update on docs. if you are ready [21:13:25] so over to you klondike [21:13:41] ok [21:13:44] five secs [21:14:10] First thing is tha we have finally updated the main page [21:14:16] so one less worries here [21:15:03] klondike: has that been committed to gentoo-www? [21:15:25] yes quantumsummers|a [21:15:32] just look at it by yourself [21:15:38] Zorry: did the commit [21:15:44] we also published a small guide on how to debug on Gentoo Hardened, it is in http://www.gentoo.org/proj/en/hardened/hardened-debugging.xml [21:16:23] I expect to improve them a lot after christmas [21:16:24] saw that, nice [21:17:22] Thanks to swift and blueness we also have some draft on virtualization using gentoo hardened, for now it covers kvm but I have references for vmware and xen and also expect to see it published by christmas [21:17:53] On the other side, the updated FAQ is almost ready and just waiting for blueness' ok to be published [21:20:01] We also discussed the idea of giving some order to our docs with nightmorph and he explained us that it was a bad idea because of the lose of cvs histories etc anyway we can use symlinks to the docs to solve the problem [21:20:51] We also have now a bug tracking gentoo hardened issues: bug 346803 [21:20:54] klondike: https://bugs.gentoo.org/346803 "[Tracker] Gentoo Hardened Documentation update tracker"; Doc Other, Project-specific documentation; NEW; franxisco1988+gentoo@gmail.com:hardened@g.o [21:21:55] And as a last things we need somebody who knows prelude to close bug 341951 I can shamelessly take the contents from the wiki but still can't be sure they are ok [21:21:57] klondike: https://bugs.gentoo.org/341951 "Hardened prelude page outdated"; Gentoo Linux, Hardened; NEW; john@adminking.com:hardened@g.o [21:23:14] don't even use it [21:23:15] We also have a bug on the it translation by ago 347025 I have to add a small correction by Honoome but otherwise it is ok, anyway I think we can't push the patch as it has to be done by the italian translators [21:23:36] Zorry: don't even use it, you mean the wiki contents? [21:23:46] klondike: the app [21:24:02] Zorry: you mean prelude? [21:24:06] yes [21:24:35] Ok I can update the guide to say just that but I think there were some prelude savy people around [21:25:41] Anyway I'm not even sure if prelude is maintained [21:25:44] take look on the wiki and try to update it [21:26:00] Well that's all I have to say on docs [21:26:15] What about the it corrections by ago [21:26:57] the main gresrc packages should be update [21:27:04] pages* [21:27:17] Yeah I know [21:27:23] I'l add that to my todo [21:27:39] anyway a page with grammatical errors doesn't talk good of us [21:27:58] so the IT page should then be rewiten [21:28:16] but it is okay to fix the gramma men time [21:28:33] Zorry: I know [21:28:51] Well that's all I have to say [21:29:01] k [21:29:04] Any tasks to carry on Docs during this months? [21:29:50] klondike: don't know if we should try to fix the roadmap page? [21:30:05] Will do [21:30:29] k [21:30:45] any one else have some thing on the docs? [21:30:47] BTW quantumsummers|a thanks for putting the docs from the old wiki they are quite helpful [21:31:00] klondike: np [21:31:12] oh, one thing. [21:31:28] trustees are working on the licensing situation. [21:31:39] we should have some guidance soon. [21:31:42] good :) [21:32:39] :D [21:32:41] Nice [21:32:55] thanks to klondike for providing data set [21:33:02] makes life easier [21:33:07] you are welcome men [21:34:12] quantumsummers|a: it should be good to just point new docs to a page with the latest license so foundation can update it if necessary [21:34:31] well, as I promised a few weeks ago, I'll start updating/rewriting (depends on the load) the SELinux handbook stuff [21:34:51] SwifT: :) [21:35:03] I'll put the new files in the gogo repository; in general, it will include both an introduction to SELinux as well as some pointers on how to use it with Gentoo/Hardened [21:35:03] SwifT: Nice. :) [21:35:25] the real difficulty will be to decide how to tell people to install it, as we currently have no real "official" way to do so (you'll need to hack here and there) [21:35:51] but I'd rather have an interesting doc around with one "WIP" chapter (installing) :) [21:36:57] Well I'd also like to see a grsec handbook, SwifT you see it possible? [21:37:55] what diference would there be between http://en.wikibooks.org/wiki/Grsecurity and a gentoo one? [21:38:05] yes, although I think the amount of user-information for grsec is rather limited (just the chpax/chwhatever stuff) [21:38:31] prometheanfire: one would be to document how to chpax binaries automatically every time you install it (the /etc/portage/bashrc trick) [21:38:51] kk [21:39:04] but indeed, it'll be rather limited (the delta between official docs and Gentoo-specific ones) [21:39:12] prometheanfire: the focus, the first is distro agnostic and ours will be gentoo centric, [21:39:36] and selinux is not treated well in the grsec wiki [21:41:04] do we have any more on the docs? [21:41:40] quantumsummers_: To be fair, there's no particular reason it should be, give that grsec and selinux are two different things. [21:42:02] yes, exactly [21:42:29] Crap! I got arms deep in code an forgot about the meeting! [21:42:43] -*- gizmo sighs [21:43:09] can we move on? [21:44:17] sure, what's next Zorry? [21:44:31] Toolchain [21:45:01] quantumsummers|a: clould you giv blueness a call ? [21:45:20] next 1.0 Toolchain [21:46:16] sure, I think I have his ## [21:46:46] the gcc-4.4.4-r2 have been stable for some weeks now and it looks to work well [21:47:01] +1 [21:47:28] and 4.5.1 did have some broken stuff but it was fixed in the last gentoopatchset for it [21:47:31] +1 [21:48:04] no answer from blueness [21:48:09] 4.6 will be in the hardened-overlay for testing the patchset [21:48:15] quantumsummers|a: k [21:48:43] so we have the patchset ready when it hit the tree [21:49:20] still waiting on vapier on the cryptsetup/glibc thing [21:49:48] don't have any more on the toolchain stuff [21:49:58] any one else? [21:50:23] I am curious about a couple things [21:50:33] speek [21:50:56] just curious, mind you, but what, if any, consideration do we officially have for uclibc? [21:51:53] quantumsummers|a: the main prob with it is that i lack ssp support and you need unstable uclibs to use with gcc-4 [21:52:12] gotcha [21:52:17] sorry, afk for a sec [21:52:17] else it should work fine [21:52:21] cool [21:52:47] Zorry: [21:52:58] yes [21:53:24] On cryptsetup bug I can contribute a small workaround to generate and use a dynamic cryptsetup on the initrd [21:54:13] feel free but it should be fixed the real way [21:54:41] I agree with that I know is only like putting a band on a broken arm [21:54:51] All I need is the bug [21:55:50] !bug 283470 [21:55:54] Zorry: https://bugs.gentoo.org/283470 "sigaction() on static/x86_64 sets up invalid sa_restorer field"; Gentoo Linux, Hardened; NEW; nick.olinek@gmail.com:hardened@g.o [21:56:23] can we move on? [21:59:30] so we jump over kernel ? [22:00:20] No point without him here. [22:00:24] k [22:00:37] Profiles then? [22:00:58] 3.0 Profiles [22:01:47] we have now merge hardened/linux/ach/10.0 to hardened/linux/arch/ [22:02:01] and it looks this far to work well [22:02:19] blueness: shoud have some ++ for the work [22:02:49] What happened with blueness? [22:03:30] ++ good on amd64 [22:03:45] yeah to me works on x86 and amd64 [22:04:07] i will sone start to play with pic use flag on amd64 to see if we can remove the default on [22:04:41] for the most code should allready be pic friendly codded [22:04:48] for amd64 [22:05:35] and was thinking to add jit use flag to default off in the hardened profile [22:06:09] else i don't have any more on the profiles [22:06:20] Zorry [22:06:30] gizmo: yes [22:06:33] Zorry: I'm going to try to look into the SELinux profiles either this week or next; we seem to have some issues with USE flags. I've talked with PeBenito and he's pointed me in the right direction I think, but I may still need some help wrapping my head around Portage's inheritance model. [22:06:58] gizmo: okay [22:08:29] gizmo: if you want to mees with the profiles you can use the overlay [22:08:53] ok [22:09:08] I've got some other stuff when we get to bugs and open floor [22:09:22] k [22:09:46] any one else have some thing on the profiles? [22:10:31] okay next [22:10:38] 5.0 bugs [22:10:58] gizmo: do you have some thing? [22:11:06] Yes [22:11:26] I've compiled a list of open SELinux bugs that I'm working through. [22:11:45] I think a good number of them are so old that they are 'stale', and we'll probably have to close them on that account [22:12:27] I've submitted a number of patches upstream, and once I have confirmation on commits, I'll be closing some related bugs on those. [22:12:37] :) [22:12:49] gizmo: you could do a tracker bug, that way people can see the lists easily [22:13:03] klondike: 'k [22:13:27] One thing I'm a little unclear on, and this may not be the place to discuss this [22:13:49] is: do I need to open a bug on b.g.o. for stuff that I commit upstream? [22:14:17] gizmo: nope [22:14:19] I don't think so [22:14:27] ok [22:14:59] I've got a bunch of stuff I've submitted upstream related to baselayout 2 [22:15:14] which I almost have completely working now on my test SELinux system. [22:15:20] :) [22:15:37] I'll be pushing the ebuilds to the hardened overlay once I have confirmation on the commits. [22:16:01] That's it, I think. [22:16:16] k [22:16:47] i don't have any bugs to dissuse [22:16:55] any one else? [22:17:26] the bugs on docs where discussed in docs time so nothing on docs I think [22:17:52] okay [22:18:32] meeting done and open floor and we move the kernel to next meeting ......... 2.0 Kernel report [22:56:34] kernel [22:56:39] -*- Aleister should have brought his poems. [22:57:02] i've been keeping up with 2.6.32 and 2.6.36 branches, the .34 and .35 were dropped by grsec team [22:57:46] i'm still working on getting a policy for quicker stabilization of derivative kernels, working with mpagano et al. upstream moves too fast for the usual 30 day wait [22:57:59] by the time 30 days are up, a bug has been found! [22:58:10] that's fixed and then another one [22:58:32] so i have to think of an intelligent way to stabilize which isn't too risky but still keeps up with upstream [22:58:45] i will submit a but for change of policy soon [22:58:52] next [22:58:53] profiles [22:59:06] that is done [22:59:08] they are done, and there have not been any disasters [22:59:21] blueness++ [22:59:24] nice work on a smooth transition guys [22:59:42] i figured out what gengor was doing and why and extended it to ia64 and fixed up ppc stuff [22:59:55] nothing more to report on that --Boundary-00=_8JD+M76GS30xrvg--