From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B1B8D1399CE for ; Thu, 3 Sep 2015 19:28:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0B75C95741; Thu, 3 Sep 2015 19:28:37 +0000 (UTC) Received: from mx10.schiffbauer.net (mx10.schiffbauer.net [188.40.110.137]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 406F0141A1 for ; Thu, 3 Sep 2015 19:28:35 +0000 (UTC) Received: from pd956cfd5.dip0.t-ipconnect.de ([217.86.207.213]:37932 helo=localhost) by mx10.schiffbauer.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1ZXaBV-0007ii-B4 for gentoo-hardened@lists.gentoo.org; Thu, 03 Sep 2015 21:28:33 +0200 Date: Thu, 3 Sep 2015 21:28:26 +0200 From: Marc Schiffbauer To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] The state of grsecurity in gentoo Message-ID: <20150903192826.GF30362@schiffbauer.net> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <55E7202D.7080402@opensource.dyc.edu> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <55E7202D.7080402@opensource.dyc.edu> User-Agent: Mutt/1.5.23 (2014-03-12) X-Virus-Scanned: by ClamAV (http://www.clamav.org) X-Spam-Score: -1.0 X-Spam-Level: - X-Archives-Salt: 96ae7285-e25e-406e-b32e-69eb67617248 X-Archives-Hash: b93283ee7fad2aa9b8c56b6bebfacff4 * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr: > Hi everyone, > > So by now most people have heard the news that the Grsecurity/PaX team > are no longer going to be making their stable patches available. The > reason is that they are in dispute with a certain embedded systems > vendor and those negotiations broke down. So they decided to make their > stable patches only available to the sponsors. [1] > > What does this mean for Gentoo? Up until now I have been maintaining > both the grsec upstream stable and testing patchsets in our > hardened-sources. Currently the upstream stable kernels are 3.2.71 and > 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and > 3.14.51 patchsets will no longer be available and I'll continue pushing > out the 4.1.6. Unfortunately the testing patchset is precisely as the > name suggests --- for testing and not production. For the embedded > systems company this will be the kiss of death because those patches are > not suitable for long term. For Gentoo it will mean that I will have to > be more vigilant about bugs and trying to stick with a well known kernel > before moving on. You can still use these kernels in production, but > you must be carefull about instabilities as upstream pushes out > experimental feature that may oops or panic. Keep older kernel images > around and revert if it doesn't work. Look to this list for > announcements about more serious issues like things that can cause data > loss. > > I'm hoping that once this company feels the sting of what has just > happened, they'll come back to the table and talk with Grsec/PaX people. > They won't be able to ship boards with grsec anymore because its not so > easy to switch out a kernel on a board! If they ship a board with a > bug, they loose. We just reboot :) > > [1] https://grsecurity.net/ Can't Gentoo be a sponsor? I think we could easly croudfund a sponsorship. This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just use the gentoo kernel if they not already did so. Thoughts? -- 0x35A64134 - 8AAC 5F46 83B4 DB70 8317 3723 296C 6CCA 35A6 4134