[gentoo-hardened] Meeting 2014-03-27 20:00UTC and log from last meeting

[gentoo-hardened] Meeting 2014-03-27 20:00UTC and log from last meeting

[Magnus Granberg]

[-- Attachment #1: Type: text/plain, Size: 159 bytes --]

Agenda for the meeting
1.0 Toolchain
2.0 Kernel and Grsec/PaX
3.0 Selinux
4.0 System Integrity
5.0 Profiles
6.0 Docs
7.0 Bugs
8.0 Media
9.0 Open floor
/Magnus

[-- Attachment #2: meeting-2014-02-27_20:00UTC.log --]
[-- Type: text/x-log, Size: 7219 bytes --]

[21:08:48] <Zorry> 1.0 Toolchain
[21:09:43] <blueness> i have soemthing but i'll wait for you Zorry
[21:09:44] <Zorry> i may get some help to upstream pie/ssp/fortify and that stuff from kees (google) to gcc 4.10/5.0
[21:10:01] <Zorry> when it hit stage 1
[21:10:09] <SwifT> he's a google engineer, or through a gsoc project?
[21:10:25] <Zorry> SwifT:  google/ubuntu
[21:10:26] <blueness> canonical dude i think
[21:11:03] <Zorry> did most of the hardened part for ubuntu
[21:11:35] <Zorry> else i don't have that mutch
[21:11:57] <Zorry> any qa before i let blueness talk?
[21:12:07] <SwifT> nope
[21:12:15] <Zorry> blueness: 
[21:12:27] <blueness> i just wanted to report on musl
[21:12:44] <blueness> i've got amd64, x86 and armv7a_hardfs with musl now on /experimental
[21:13:03] <blueness> and i'm going to be working on hardening that later, its much more involved than uclibc
[21:13:17] <prometheanfire> git?
[21:13:19] <blueness> so its very bleeding edge
[21:13:25] <blueness> but it is usablie
[21:13:31] <blueness> prometheanfire, what do you mean?
[21:13:47] <prometheanfire> git on ulibc is still broken (on arm) iirc
[21:14:00] <blueness> oh its on the gentoo mirrors under /experimental/{amd64,arm,x86}/musl
[21:14:14] <blueness> prometheanfire, not anymore, vapier backported the necessary patches
[21:14:28] <blueness> uclibc-0.9.32.2-r10 is fine
[21:14:33] <prometheanfire> ah, nice
[21:14:36] <prometheanfire> steev: ^^
[21:14:39] <blueness> the next stage3's will have it fixed
[21:14:44] <blueness> steev should know
[21:14:49] <prometheanfire> ok, next?
[21:15:00] <blueness> about uclibc, all stages are proceeding forward cleanly, not much to do there but just keep up
[21:15:08] <blueness> so that's mostly completed
[21:15:18] <blueness> yes next
[21:15:39] <Zorry> 2.0 Kernel Grsec/PaX
[21:15:53] <blueness> okay, not much about grsec per say
[21:16:09] <blueness> i'm lookgin to stabilize a 3.13.x kernel because there were some problems reported iwth the 3.12
[21:16:27] <blueness> but for xattr pax we have progressed
[21:16:42] <blueness> so remember that install.py wrapper was very slow
[21:16:49] <zaxim> is there anyway to change the CONFIG_GRKERNSEC_FLOODTIME without recompiling the kernel?
[21:16:52] <blueness> i rewrote that wrapper in C
[21:17:03] <Zorry> zaxim: meeting can you wait
[21:17:17] <blueness> its in the tree under sys-app/install-xattr
[21:17:36] <blueness> so now we have to get portage
[21:17:44] <zaxim> sorry, didn't notice. I'll go to another channel, thanks
[21:18:08] <blueness> but you can use it now, if you hack up portage to aim to it
[21:18:08] <prometheanfire> blueness: I'll need to test 3.13.(latest) for the intel badness I had with earlier releases
[21:18:12] <blueness> it runs much much faster
[21:18:19] <blueness> prometheanfire, please test
[21:18:30] <blueness> okay that's all from me, i have to help my wife again, brb
[21:19:04] <Zorry> any one else?
[21:19:13] <Zorry> else next?
[21:20:00] <Zorry> 3.0 Selinux
[21:20:06] <SwifT> my turn
[21:20:14] <SwifT> two short things to mention:
[21:20:36] <SwifT> 1) libselinux and libsemanage are now python3.3 ready (nothing to do there, just to test and enable in the ebuilds)
[21:21:05] <blueness> back
[21:21:06] <SwifT> problem is that ebuilds using python-r1 eclasses have to explicitly mention which pythons they support, and when I bymped the ebiulds earlier there was no 3.3 yet
[21:21:14] <SwifT> so now they do
[21:21:34] <SwifT> 2) there are no longer package masks in profiles/base towards selinux packages as all packages are USE=selinux triggered anyway
[21:21:50] <SwifT> that means we don't need to mask a policy package in profiles/base and unmask in profiles/features/selinux anymore
[21:22:00] <SwifT> reduces some of the overhead of introducing new policy packages
[21:22:10] <SwifT> that's it
[21:22:33] <blueness> no questions from me
[21:22:52] <Zorry> next then?
[21:23:01] <Zorry> 4.0 System Integrity
[21:23:09] <SwifT> my turn again ;)
[21:23:34] <blueness> yep
[21:23:39] <SwifT> i've been working with some mitre guys to see how we can integrate gentoo specific checks into OVAL (a complex XML language used to describe automated vulnerability tests)
[21:24:03] <blueness> you mentioned oval long ago
[21:24:23] <SwifT> for most of the work, we can deal with the standard tests (like file content tests), but we might need to create specific ones for portage (just like debian has a dpkg_info object, and there is an rpm_info object, we might need an ebuild_info object)
[21:24:45] <SwifT> it's not something that'll go in quickly though, there's quite a process to design and look at it
[21:25:11] <SwifT> when I am back "full force" on gentoo, i'll be describing that in much more detail
[21:25:33] <SwifT> that's it
[21:25:58] <Zorry> okay next?
[21:26:05] <Zorry> 5.0 Profiles
[21:26:42] <Zorry> any news?
[21:26:56] <blueness> Zorry, not really
[21:27:13] <Zorry> okay
[21:27:15] <blueness> i didn't do any more work on the destkop profile, but i did blog about the problem
[21:27:15] <Zorry> next then
[21:27:30] <Zorry> 6.0 Docs
[21:27:38] <SwifT> nothing from me there
[21:28:42] <blueness> next?
[21:28:47] <Zorry> yes
[21:28:58] <Zorry> 7.0 Bugs
[21:29:03] <steev> prometheanfire: I SAID THAT AGES AGO
[21:30:07] <Zorry> don't have any 
[21:30:18] -*- satmd tries to remember
[21:30:22] <SwifT> i have plenty, but haven't been able to look at them yet
[21:30:23] <prometheanfire> they don't exist
[21:30:27] <satmd> mine was solved
[21:30:35] <Zorry> but i thin we need some help to fix bugs or patches for bugs
[21:31:00] <blueness> Zorry, i have lots but nothing to share really ...
[21:31:13] <Zorry> blueness: me to
[21:31:45] <blueness> this is a short meeting, but i did a lot of work with musl, just not much to report really
[21:31:50] <blueness> work in progress
[21:31:59] <SwifT> short meetings are important as well
[21:32:00] <Zorry> next then?
[21:32:05] <Zorry> 8.0 Media
[21:32:07] <blueness> yes next
[21:32:47] <steev> oh, my bad, didn't realize meeting was going on
[21:32:49] <Zorry> we did get some media
[21:33:15] <Zorry> was posted some time ago in the channel
[21:33:38] <SwifT> yes, cert blog
[21:33:48] <blueness> oh yeah the cert blog
[21:34:08] <blueness> http://www.cert.org/blogs/certcc/post.cfm?EntryID=193
[21:34:23] <SwifT> good PR
[21:34:24] <SwifT> ;)
[21:34:38] <blueness> yeah i like it because it was very simple to read
[21:34:47] <prometheanfire> speaking of PR...
[21:34:51] <prometheanfire> SwifT:
[21:34:52] <SwifT> of course, it's massively due to grsec, so thanks to them!
[21:35:06] <SwifT> yeeeees?
[21:35:14] <prometheanfire> your interview is all
[21:35:38] <SwifT> all?
[21:35:47] <prometheanfire> sure
[21:36:29] <blueness> guys i have to go again, my wife needs more help
[21:36:37] <blueness> i'm sorry, but i think we're done
[21:36:38] <blueness> bye bye
[21:37:20] <Zorry> some of os was on fosdem
[21:37:27] <Zorry> blueness: bye
[21:37:28] <SwifT> ah gmn interview; haven't read the final one yet
[21:37:31] <prometheanfire> true, saw you in the photo
[21:38:05] <Zorry> next?
[21:38:13] <Zorry> 9.0 Open floor
[21:38:19] <Zorry> anything ?
[21:38:33] <Zorry> else the meeting is done and ty all