From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 06ED4139694 for ; Mon, 8 May 2017 21:12:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C8741E0E26; Mon, 8 May 2017 21:12:11 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9287DE0E24 for ; Mon, 8 May 2017 21:12:11 +0000 (UTC) Received: from localhost (unknown [91.246.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bircoph) by smtp.gentoo.org (Postfix) with ESMTPSA id 511883416E5 for ; Mon, 8 May 2017 21:12:09 +0000 (UTC) Date: Tue, 9 May 2017 00:12:03 +0300 From: Andrew Savchenko To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Technical repercussions of grsecurity removal Message-Id: <20170509001203.f95bbca4bea4957afb3a86c3@gentoo.org> In-Reply-To: <20170501135808.GA644@gentoo.org> References: <20170501093843.GA927@gentoo.org> <20170501132854.98400aa781d29f13457dacd1@gentoo.org> <20170501135808.GA644@gentoo.org> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.30; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Tue__9_May_2017_00_12_04_+0300_Hr_awCCX8oHWhCsL" X-Archives-Salt: 666985dc-36b4-46dc-b446-c731ed08b367 X-Archives-Hash: d248cf1e703665d9e3a518f5948d7e20 --Signature=_Tue__9_May_2017_00_12_04_+0300_Hr_awCCX8oHWhCsL Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, 1 May 2017 13:58:08 +0000 Sven Vermeulen wrote: > On Mon, May 01, 2017 at 01:28:54PM +0300, Andrew Savchenko wrote: > > > The obvious step is indeed to stop further *current* development on > > > hardened-sources. > >=20 > > Why not support hardened-sources while corresponding vanilla > > kernels are still supported? E.g. 4.9 is a longterm branch, so we > > should be able to keep hardened-sources-4.9* up-to-date with > > vanilla bugfixes. This will give a nice transition period for > > hardened users. >=20 > Transition to what exactly? It doesn't really matter. Something will come up, but we need to provide users smooth experience before then. Supporting 4.9 looks like a good solution here. Most likely KSPP project will come up, they are doing a good job: bringing security features upstream fixing bugs in PaX code during the process [1]. This is what PaX should have done long time ago, they were even offered CII grant for this job, but refused [2]. [1] http://openwall.com/lists/kernel-hardening/2017/05/02/4 [2] https://lists.coreinfrastructure.org/pipermail/cii-discuss/2015-August/= 000003.html Best regards, Andrew Savchenko --Signature=_Tue__9_May_2017_00_12_04_+0300_Hr_awCCX8oHWhCsL Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAlkQ3yQACgkQ9lNaM7oe 5I1MSg/9ES14QOTMSrmSawTJEtM7RchsDNAyxRMpzVlY8lMip1KQ9QTlXrVXb+eG S/HvLXvey4xjjE/BMaFk+dT0brcjWPEdp6PWLBazQh3LpCqbGDiJ1llUJelUShFb ZM8Gi7ZQYI7BhIk54SVpsxM3Dsf6cWgUyCDtIPRX/wUaYAeDW+uoI7An9aPk0y3D aMayIagjVlIzOcp0mWV7Mq+U/7eLanPdhHHI1xJLkwmzlDXrbRdV4S15oOYTaUT2 IBCFZy7r2Lg+uLNYdMy4VzyjegF2uosoEIpGGUqywrpWtnTJ71OlJX41J1YJs+Jv xptrSYhvLdupSeLbap0MbYP2QcdEwaOhkhs/KD6t2ual0W5v3xm8z9WVYb+yVchU 8LNA2SS1pKw45YLmSiNIKMH/rDBavMjZWY6PRyhKFbpeNrET1xqzP8IUpGv17iaq uooZlKgUDdojEy+maCqMYaz0kt+8LSjsMIbHe0E06UU3RISzyxlxRnhfQWco9CwF 6CHj3xAIALJ5FRpFQGIk3Ravkw/iVpq1YuTHUlVqIHqgPMKxba4QDCJvrkLhm4Q8 UpWff1HY892b/K928anqfEU83fQIdL72i5qQEawVyNFPXJDes37tR1hl04sV+/kv nb5rqZmAGxahs8bQ19PyWsjOzRIFyTHxDIlTwQuF0WFLyrHAAYs= =dpTR -----END PGP SIGNATURE----- --Signature=_Tue__9_May_2017_00_12_04_+0300_Hr_awCCX8oHWhCsL--