From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DC39F139083 for ; Sat, 24 Jun 2017 10:59:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B2649E0D6F; Sat, 24 Jun 2017 10:59:52 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6BF44E0D4C for ; Sat, 24 Jun 2017 10:59:52 +0000 (UTC) Received: from [192.168.1.124] (c83-254-18-209.bredband.comhem.se [83.254.18.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: klondike) by smtp.gentoo.org (Postfix) with ESMTPSA id C6446341722; Sat, 24 Jun 2017 10:59:50 +0000 (UTC) From: "Francisco Blas Izquierdo Riera (klondike)" Subject: Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream To: gentoo-hardened@lists.gentoo.org References: Cc: Mathias Krause Message-ID: <2324b4ef-5823-2a41-aec3-d721bd530b3a@gentoo.org> Date: Sat, 24 Jun 2017 12:59:43 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="TwEPUR1XkvVIlAI4Bhf6SKj1IwPBUI9B7" X-Archives-Salt: e93b86ea-f9d8-4b0d-9ba3-dda125a647ce X-Archives-Hash: 01dcbfeb8aa84d4fc757a25f09d97795 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --TwEPUR1XkvVIlAI4Bhf6SKj1IwPBUI9B7 Content-Type: multipart/mixed; boundary="oR3glkCS9ovNNHw3dU2cLmesJIAXVoqP5" From: "Francisco Blas Izquierdo Riera (klondike)" To: gentoo-hardened@lists.gentoo.org Cc: Mathias Krause Message-ID: <2324b4ef-5823-2a41-aec3-d721bd530b3a@gentoo.org> Subject: Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream References: In-Reply-To: --oR3glkCS9ovNNHw3dU2cLmesJIAXVoqP5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable El 23/06/17 a las 18:28, Anthony G. Basile escribi=C3=B3: > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources= > kernel, their decision has serious repercussions for the Hardened Gento= o > project. I will no longer be able to support hardened-sources and will= > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work= > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from= > PaX support. > > I waited two months before saying anything because the reasons were mor= e > of a political nature than some technical issue. At this point, I thin= k > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal= , > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out= > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with Pa= X > markings. > > I welcome feedback. > Hi! I know that minipli has been working on keeping the last released grsec patches up to date on the 4.9 LTS branch and was sharing his work on a github repository. I believe his work could be a good alternative for a few more years and give us enough time to see how everything evolves. Maybe the upstream people start taking things seriosuly and we can drop the hardened-sources by then (not very optimistic about that though). Or maybe spender and the PaX Team start releasing patches again (as the situation looks now I also doubt it). Eitherway it will buy us time at the expense of lack of new hardware compatibility. Klondike --oR3glkCS9ovNNHw3dU2cLmesJIAXVoqP5-- --TwEPUR1XkvVIlAI4Bhf6SKj1IwPBUI9B7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIxBAEBCgAbBQJZTkYhFBxrbG9uZGlrZUBnZW50b28ub3JnAAoJEPS90u/o/3j5 qQ8P/20O6cWUnk6ZyZe/+xPXjUo5qVFZYMj7jD0+Qm0GMjOmJui95SEdHSUPEOrQ 73Hql7YMo0N5dM5C2sDGHUVQmEaVBR57s86UoX1UHpcLmNjM2gdkv213rVqLxegx cu9mjjhfMC9M3UZ5PrL6DBQU5jFE2BC3aVP9UHNdbnEzHfoQN0R+JFh5U2+eTIH2 BwrKCRmnEn1Q5lK+cMOSyXJ2OywwpcEvlDdvoattxI5yh8lc/zCYrNYPJ/KR/iHg 4Ik+TxuMomzYqFKk3OFYL97E45Q7Qc0zznzPpfchbKvgsL85zUQXQCpBaUA4Pghd nIErqKM6LTFNhJZYkEtwLdPrPXaQe0WWYoSWCiZrsIuPjxESQbR5Hhp7BakL3yD4 IibYuPaJFI8HeEQDD3IWxETUkBhU/oqG/jcbJa6ULH3BFODKrIq/w6/MvVrqmDyQ VPVDALRs7ebKycy49wHucvrBkFuVUHK5gxsWLMOsrBz4lcmJ276uOqIwWTKEiEIZ 0CuOqqcrMOymTnKzYwtjCIV4A+Qj3LF73DCz6ryJmo+x/g/1NXlxQxpCYrwtqyd5 U+pJWwVV/Vz9q4aEManR1tUbd0Y8T7BfVx8sQl7Xb0SZFUnjkKjUdBermgvM+/fx EZ7d4IvOSQZz72AuK/CG2akONvuBHcrVfAr0kVgKC+r3n0Fe =CCxE -----END PGP SIGNATURE----- --TwEPUR1XkvVIlAI4Bhf6SKj1IwPBUI9B7--