From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9EFCE139083 for ; Sun, 30 Apr 2017 11:08:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 40D5EE0DA3; Sun, 30 Apr 2017 11:08:15 +0000 (UTC) Received: from powerman.name (powerman.name [109.86.197.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A46AFE0BE2 for ; Sun, 30 Apr 2017 11:08:14 +0000 (UTC) Received: (qmail 9912 invoked by uid 1000); 30 Apr 2017 11:08:11 -0000 Date: Sun, 30 Apr 2017 14:08:11 +0300 From: Alex Efros To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] RIP hardened-sources Message-ID: <20170430110811.GA11463@home.power> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <20170429134920.1b6be250@gentp.lnet> <20170429131149.GQ28917@home.power> <5904994E.14957.457CA97@pageexec.freemail.hu> <20170429164610.GA11187@home.power> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170429164610.GA11187@home.power> Organization: http://powerman.name/ User-Agent: Mutt/1.8.2 (2017-04-18) X-Archives-Salt: b73609dd-e7ec-47e2-b8f4-9887a4ea6e6f X-Archives-Hash: 363cf51de0f59c4a089b766d76b6c7f6 Hi! On Sat, Apr 29, 2017 at 07:46:10PM +0300, Alex Efros wrote: > Thanks! But isn't this mean you forbid all Linux distributions (including > commercial ones like RedHat) to be GrSec/PaX subscribers (in case they > like to spend some money for it)? I.e. this decision will ensure majority > of Linux systems will never ever have GrSec/PaX If no one is replies on this yet because that's sad truth, then may I ask why don't you like to solve this in some way? For example, you can continue publishing source of GrSec/PaX versions, but use license which allows using it for free only for personal use and small business (say, less than 10-20 computers) on usual desktop/server PC. This way all server/desktop Linux distributions will be able to include alternative hardened kernel or have alternative hardened variant of overall distribution, but end-user will have to decide is they can use it for free or should subscribe or avoid using it. For Android phones/tablets and embedded devices you can make separate clause in license to let you get some money from Google and companies developing embedded devices if they will like to use GrSec/PaX, without forbidding such a possibility at all (rumours are current subscription options require to limit amount of installations, which is surely doesn't makes sense for Android). This way you shouldn't lose any money comparing to current situation, it also solve mentioned before issues when bad companies sell unsupported and modified GrSec variant and use "grsecurity" for marketing own products. Plus you'll continue wide-test your patch with Gentoo Hardened and some other distribution users and have your patch available for any external audit which is always good for security product's karma. If there are no good reasons to reject proposed solution and no alternatives to let people continue using GrSec/PaX for personal/small business use, then, yeah, conspiracy theories and three-letter-agencies start coming to mind - just because they wins more than anybody else including yourself if all Linux distributions won't have GrSec/PaX anymore. -- WBR, Alex.