From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E4E401399E0 for ; Wed, 2 Sep 2015 19:18:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7E2EA9563D; Wed, 2 Sep 2015 19:17:41 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B353E954F9 for ; Wed, 2 Sep 2015 19:17:40 +0000 (UTC) Received: from [192.168.50.96] (scandic818.host.songnetworks.se [212.214.188.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: klondike) by smtp.gentoo.org (Postfix) with ESMTPSA id C2C943409F2 for ; Wed, 2 Sep 2015 19:17:39 +0000 (UTC) Subject: Re: [gentoo-hardened] The state of grsecurity in gentoo To: gentoo-hardened@lists.gentoo.org References: <55E7202D.7080402@opensource.dyc.edu> From: "Francisco Blas Izquierdo Riera (klondike)" Message-ID: <55E74B4F.1040308@gentoo.org> Date: Wed, 2 Sep 2015 21:17:35 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <55E7202D.7080402@opensource.dyc.edu> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="qkW6Fig6fHomtcS4LkfpjVkgct5DrwidV" X-Archives-Salt: 5ec19d36-6f87-4f7e-a2b4-3ca18fe45636 X-Archives-Hash: be3c0860099e5ec1dc1c1b62b703dd90 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qkW6Fig6fHomtcS4LkfpjVkgct5DrwidV Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable El 02/09/15 a las 18:13, Anthony G. Basile escribi=C3=B3: > Hi everyone, > > So by now most people have heard the news that the Grsecurity/PaX team > are no longer going to be making their stable patches available. The > reason is that they are in dispute with a certain embedded systems > vendor and those negotiations broke down. So they decided to make > their stable patches only available to the sponsors. [1] > > What does this mean for Gentoo? Up until now I have been maintaining > both the grsec upstream stable and testing patchsets in our > hardened-sources. Currently the upstream stable kernels are 3.2.71 > and 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 > and 3.14.51 patchsets will no longer be available and I'll continue > pushing out the 4.1.6. Unfortunately the testing patchset is > precisely as the name suggests --- for testing and not production.=20 > For the embedded systems company this will be the kiss of death > because those patches are not suitable for long term. For Gentoo it > will mean that I will have to be more vigilant about bugs and trying > to stick with a well known kernel before moving on. You can still use > these kernels in production, but you must be carefull about > instabilities as upstream pushes out experimental feature that may > oops or panic. Keep older kernel images around and revert if it > doesn't work. Look to this list for announcements about more serious > issues like things that can cause data loss. > > I'm hoping that once this company feels the sting of what has just > happened, they'll come back to the table and talk with Grsec/PaX people= =2E > They won't be able to ship boards with grsec anymore because its not > so easy to switch out a kernel on a board! If they ship a board with > a bug, they loose. We just reboot :) > > [1] https://grsecurity.net/ > Only thing to add here is that spender expects the unstable kernels to become more stable in the medium term because of this. --qkW6Fig6fHomtcS4LkfpjVkgct5DrwidV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJV50tQAAoJEPLcgKVuD9jNcIUP/0CI6WlH1q3ND/VUoj+IFlZj fv6mTJ4QlB6YnHsD0vubSPXrB+qkDBabfhBGMUWTLYokMKOLSxbQaSOkpXJpIBBk jR4d+qEvlq9tdCLg5EFd3uGUHlaJRm+xNfrOYLMZhokUyr+l6i9PbQNUmemBOR/z Q29hv+DfnYZ2eD5qF8p3lmw2rzniJD7EfN1h7z1uRyiDD+kdnOgh/MjE8GvLEywm ABgHy1ecGybcStaXCM+BM0fRMqdI0Xf6c1SlTVej/Mfrsy0cIYKU2w1RVFkSW53O tz3T44cqErxwAunSzoEiakvkEV2f8UDxWZYWPESTUhxrZmhxTOO2B170VLnY31+s tl6ZjGMQRQfFqYvziLAY8qouG11cezJd4dsf4ncUs93+lnz3bK8qCLQcF1WVWbPZ ibSwkfHbG63svBh8/ZZdql4bxqd3w74rfAI/pcks4aGq4uxqZ05MCtEUaAQRqRyZ BC5tcafuHDO0oeLLp6WKVlbbthYUlK9QfhcJbU4tItST9s8RX1hSSYZx7t8uqyOH FhoBFihi23Ngy22TxnSYY7qx7pHeLIf5W5PkN1McoQ5+96V/zx5ieD5HBG2Jpr64 jw+ki0wtlcA7qMOAsibQF5XtjOqC0xWNdKh2dQ5XD0VMoRhsHHyVYNp57TmbzBPa TyGtMNVOog7m2QJSB9ky =sbPl -----END PGP SIGNATURE----- --qkW6Fig6fHomtcS4LkfpjVkgct5DrwidV--