Re: [gentoo-hardened] The state of grsecurity in gentoo

[Matthew Thode <prometheanfire@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2376 bytes --]

On 09/03/2015 02:28 PM, Marc Schiffbauer wrote:
> * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr:
>> Hi everyone,
>>
>> So by now most people have heard the news that the Grsecurity/PaX team 
>> are no longer going to be making their stable patches available.  The 
>> reason is that they are in dispute with a certain embedded systems 
>> vendor and those negotiations broke down.  So they decided to make their 
>> stable patches only available to the sponsors. [1]
>>
>> What does this mean for Gentoo?  Up until now I have been maintaining 
>> both the grsec upstream stable and testing patchsets in our 
>> hardened-sources.  Currently the upstream stable kernels are 3.2.71 and 
>> 3.14.51 and the testing are 4.1.6.  In about one week, the 3.2.71 and 
>> 3.14.51 patchsets will no longer be available and I'll continue pushing 
>> out the 4.1.6.  Unfortunately the testing patchset is precisely as the 
>> name suggests --- for testing and not production.  For the embedded 
>> systems company this will be the kiss of death because those patches are 
>> not suitable for long term.  For Gentoo it will mean that I will have to 
>> be more vigilant about bugs and trying to stick with a well known kernel 
>> before moving on.  You can still use these kernels in production, but 
>> you must be carefull about instabilities as upstream pushes out 
>> experimental feature that may oops or panic.  Keep older kernel images 
>> around and revert if it doesn't work.  Look to this list for 
>> announcements about more serious issues like things that can cause data 
>> loss.
>>
>> I'm hoping that once this company feels the sting of what has just 
>> happened, they'll come back to the table and talk with Grsec/PaX people.
>> They won't be able to ship boards with grsec anymore because its not so 
>> easy to switch out a kernel on a board!  If they ship a board with a 
>> bug, they loose.  We just reboot :)
>>
>> [1] https://grsecurity.net/
> 
> Can't Gentoo be a sponsor? I think we could easly croudfund a 
> sponsorship.
> 
> This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just 
> use the gentoo kernel if they not already did so.
> 
> Thoughts?
> 
We can't do that because it would make the LTS patches public, which
spender is trying to avoid.

-- 
-- Matthew Thode (prometheanfire)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]