[gentoo-hardened] kernel no longer in hardened-development overlay?

[gentoo-hardened] kernel no longer in hardened-development overlay?

[Joseph C. Lininger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey folks,
Has anyone else noticed that the entire hardened-sources package has
vanished from the hardened-development overlay? I know it's a
development overlay and all, but I figured I should mention it because
it's just gone. All versions. It struck me as a bit odd. Any reason for
this?
- -- 
Joseph C. Lininger, <jbahm@pcdesk.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBCAAGBQJLzIqjAAoJEMh8jNraUiwqmhAIAIR/Mx/v7HP6gVBgvkCCnrYA
CZDAYIAv2uyLsvvvfY5EZ+hJ6ltfoPSxSqfxpCG4DrpU0rA/XP5gZOU4x38xncne
EvNKXFIsXYcvWl7UT0Q2mOjbGFWUFlkRBBJ8UawcFpKq1J7nbUtnAT11NEXblcnA
c6Y4xsIeVSxdbEfxf4xg01WVOHnff98xGJ7u990s/bILDvbwzIGWxgdjPH/D1aBH
7eP7rpqlmEf22tnPGr+CMBsaY8h/lhUtJ58CR23GAjlqb2ynhyxL5fQt99VTcdTQ
Ea8K2QBjgMqIvkfSKBwNfWqlrfmuodG0o8ZFC7MW6h1ZKYg7Y3y6lm6rfsrDO2I=
=tS3i
-----END PGP SIGNATURE-----

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Ed W]

On 19/04/2010 17:53, Joseph C. Lininger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hey folks,
> Has anyone else noticed that the entire hardened-sources package has
> vanished from the hardened-development overlay? I know it's a
> development overlay and all, but I figured I should mention it because
> it's just gone. All versions. It struck me as a bit odd. Any reason for
> this?
>    


I guess others will disagree, but I have never been a huge fan of the 
kernel ebuilds.  I'm just not clear what they buy you over downloading 
and compiling your own?  I think there are a few extra patches in the 
case of gentoo-sources, but that seems to be about it?


If you don't yet have an alternative in place then my choice is for the 
vserver+grsec patches that you can grab from the linux-vserver.org site 
and this gives you a very easy way to setup chroot style jails with 
lightweight virtualisation, plus all the grsec patches.  If you just 
want Pax then it's a fast moving target and you are best to grab and 
patch your own kernel anyway, and don't forget to keep an archive of pax 
patches used since they don't archive them on the site (annoying if you 
are trying to diff the diff or whatever)


I realise everyone has different needs, but perhaps try pulling your own 
kernel down and applying your own patches - I think it's about easier to 
maintain in most cases?

Good luck

Ed W

[gentoo-hardened] Re: kernel no longer in hardened-development overlay?

[Kerin Millar]

On 19/04/2010 17:53, Joseph C. Lininger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hey folks,
> Has anyone else noticed that the entire hardened-sources package has
> vanished from the hardened-development overlay? I know it's a
> development overlay and all, but I figured I should mention it because
> it's just gone. All versions. It struck me as a bit odd. Any reason for
> this?

They've been moved into anarchy's personal overlay:

http://git.overlays.gentoo.org/gitweb/?p=dev/anarchy.git;a=commit;h=a4802d1087c90a1371c15de195282c4601428dbe

Cheers,

--Kerin

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Michael Orlitzky]

On 04/19/10 13:16, Ed W wrote:
> I guess others will disagree, but I have never been a huge fan of the
> kernel ebuilds. I'm just not clear what they buy you over downloading
> and compiling your own? I think there are a few extra patches in the
> case of gentoo-sources, but that seems to be about it?
>
>
> If you don't yet have an alternative in place then my choice is for the
> vserver+grsec patches that you can grab from the linux-vserver.org site
> and this gives you a very easy way to setup chroot style jails with
> lightweight virtualisation, plus all the grsec patches. If you just want
> Pax then it's a fast moving target and you are best to grab and patch
> your own kernel anyway, and don't forget to keep an archive of pax
> patches used since they don't archive them on the site (annoying if you
> are trying to diff the diff or whatever)
>
>
> I realise everyone has different needs, but perhaps try pulling your own
> kernel down and applying your own patches - I think it's about easier to
> maintain in most cases?

* The ebuilds for e.g. hardened-sources do all the patching for you,
   which is nice.

* The fact that the kernel shows up in emerge output reminds me to
   compile a new one.

* If a kernel is marked stable in Portage, it means that test dummies
   have been running it for a while and they survived. It also means
   no bugs were reported regarding integration with other in-tree
   packages.

* Other packages in portage can require certain (versions of) kernels.
   If you compile your own, Portage doesn't know about it. Easy enough
   to fix via package.provided, but still a mild headache, especially if
   we're talking about a large number of machines.

That's all I got.

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Mike Edenfield]

On 4/19/2010 2:31 PM, Michael Orlitzky wrote:
> On 04/19/10 13:16, Ed W wrote:

>> I guess others will disagree, but I have never been a huge fan of the
>> kernel ebuilds. I'm just not clear what they buy you over downloading
>> and compiling your own? I think there are a few extra patches in the
>> case of gentoo-sources, but that seems to be about it?

> * The ebuilds for e.g. hardened-sources do all the patching for you,
>   which is nice.

And since hardened-sources is three *different* patchsets put together,
this one alone is plenty reason for me :)

--Mike

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[David Sommerseth]

On 19/04/10 20:31, Michael Orlitzky wrote:
> On 04/19/10 13:16, Ed W wrote:
>> I guess others will disagree, but I have never been a huge fan of the
>> kernel ebuilds. I'm just not clear what they buy you over downloading
>> and compiling your own? I think there are a few extra patches in the
>> case of gentoo-sources, but that seems to be about it?
>>
>>
>> If you don't yet have an alternative in place then my choice is for the
>> vserver+grsec patches that you can grab from the linux-vserver.org site
>> and this gives you a very easy way to setup chroot style jails with
>> lightweight virtualisation, plus all the grsec patches. If you just want
>> Pax then it's a fast moving target and you are best to grab and patch
>> your own kernel anyway, and don't forget to keep an archive of pax
>> patches used since they don't archive them on the site (annoying if you
>> are trying to diff the diff or whatever)
>>
>>
>> I realise everyone has different needs, but perhaps try pulling your own
>> kernel down and applying your own patches - I think it's about easier to
>> maintain in most cases?
> 
> * The ebuilds for e.g. hardened-sources do all the patching for you,
>   which is nice.
> 
> * The fact that the kernel shows up in emerge output reminds me to
>   compile a new one.
> 
> * If a kernel is marked stable in Portage, it means that test dummies
>   have been running it for a while and they survived. It also means
>   no bugs were reported regarding integration with other in-tree
>   packages.
> 
> * Other packages in portage can require certain (versions of) kernels.
>   If you compile your own, Portage doesn't know about it. Easy enough
>   to fix via package.provided, but still a mild headache, especially if
>   we're talking about a large number of machines.
> 
> That's all I got.

Yes, you are right.  But still ... it's now closer to one year *without*
any updates for the stable kernel.  Which means, compiling the latest
upstream 2.6.33.2 kernel might be a lot safer, than the 2.6.28-r9 which
is marked stable now.

As a comparison, Red Hat comes regularly with security fixes to their
kernels, some RHEL based kernels almost have an update with security
fixes every month.  Of course you can blame it on the amount of
resources and equipment available for testing.  On the other hand RHEL
do backport patches from newer kernels to older kernels (to maintain
certifications) with (mostly) security fixes.  That do take a lot of
manpower to manage.  Anyhow, being able to release a new kernel for a
"stable marked" as RHEL aims at, containing security fixes, tells
something about the amount of vulnerabilities found in the kernel.

But, the hardened-sources really touches the nerve now in regards to
what I feel is safe.  The PaX patches do provide some extra security
which not many else have.  But still ... I am not as confident with
Hardened Gentoo as I once was.  I honestly think that the hardened
sources now are more vulnerable than gentoo-sources, just because of the
age of the kernel.  Granted, gentoo-sources do not have the PaX patch
set, but it is still fresher with more CVE and other security fixes than
what the current stable hardened-sources do have.

Fair enough, the Gentoo portage kernels do add some fixes which is not
in upstream yet ... but that's only valid when the kernel is not as old
as this one.

I have no problem accepting if the Hardened team withdraws the current
hardened-sources.  It will most probably create a lot more noise for
some time.  But the current situation is unsustainable, in my honest
opinion.  In fact, it would be a more honest approach if the Hardened
team withdraw the sources - giving advises to which stable kernel to run
instead or which approach to take to get a better solution.

The only reason I do not switch kernel yet (or distro), is that I still
have a hope that a newer kernel is just around the corner.  But my hope
is fading... and lately faster than earlier.


kind regards,

David Sommerseth

Re: [gentoo-hardened] Re: kernel no longer in hardened-development overlay?

[Guillaume Castagnino]

Le lundi 19 avril 2010 19:46:57, Kerin Millar a écrit :
> They've been moved into anarchy's personal overlay:
> 
> http://git.overlays.gentoo.org/gitweb/?p=dev/anarchy.git;a=commit;h=a4802d1
> 087c90a1371c15de195282c4601428dbe

I really do NOT understand this move.
We had a centralized place where we could find ALL the hardened developpement. 
This was quite good, even if we could consider ~arch as a better place.

Now we have to add one more overlay, containing some peace of ebuild that do 
not concern hardened at all (fprint is an other story)...
What will be the next step ? Each dev will add his overlay ?

From the user point of view, this is becoming harder to maintain... How many 
overlays will we have to add ? With even more mess on packages that do not 
concern hardened at all...


Please, keep ONE hardened overlay where all the devs take place !


Cheers

-- 
Guillaume Castagnino
    casta@xwing.info / guillaume@castagnino.org

[gentoo-hardened] Re: kernel no longer in hardened-development overlay?

[Kerin Millar]

On 19/04/2010 20:45, David Sommerseth wrote:

[snip]

> Yes, you are right.  But still ... it's now closer to one year *without*
> any updates for the stable kernel.  Which means, compiling the latest
> upstream 2.6.33.2 kernel might be a lot safer, than the 2.6.28-r9 which
> is marked stable now.
>
> As a comparison, Red Hat comes regularly with security fixes to their
> kernels, some RHEL based kernels almost have an update with security
> fixes every month.  Of course you can blame it on the amount of
> resources and equipment available for testing.  On the other hand RHEL
> do backport patches from newer kernels to older kernels (to maintain
> certifications) with (mostly) security fixes.  That do take a lot of
> manpower to manage.  Anyhow, being able to release a new kernel for a
> "stable marked" as RHEL aims at, containing security fixes, tells
> something about the amount of vulnerabilities found in the kernel.
>
> But, the hardened-sources really touches the nerve now in regards to
> what I feel is safe.  The PaX patches do provide some extra security
> which not many else have.  But still ... I am not as confident with
> Hardened Gentoo as I once was.  I honestly think that the hardened
> sources now are more vulnerable than gentoo-sources, just because of the
> age of the kernel.  Granted, gentoo-sources do not have the PaX patch
> set, but it is still fresher with more CVE and other security fixes than
> what the current stable hardened-sources do have.
>
> Fair enough, the Gentoo portage kernels do add some fixes which is not
> in upstream yet ... but that's only valid when the kernel is not as old
> as this one.
>
> I have no problem accepting if the Hardened team withdraws the current
> hardened-sources.  It will most probably create a lot more noise for
> some time.  But the current situation is unsustainable, in my honest
> opinion.  In fact, it would be a more honest approach if the Hardened
> team withdraw the sources - giving advises to which stable kernel to run
> instead or which approach to take to get a better solution.
>
> The only reason I do not switch kernel yet (or distro), is that I still
> have a hope that a newer kernel is just around the corner.  But my hope
> is fading... and lately faster than earlier.
>

+1 insightful. I wholeheartedly concur.

Cheers,

--Kerin

Re: [gentoo-hardened] Re: kernel no longer in hardened-development overlay?

[Ed W]

On 19/04/2010 21:12, Guillaume Castagnino wrote:
> Le lundi 19 avril 2010 19:46:57, Kerin Millar a écrit :
>    
>> They've been moved into anarchy's personal overlay:
>>
>> http://git.overlays.gentoo.org/gitweb/?p=dev/anarchy.git;a=commit;h=a4802d1
>> 087c90a1371c15de195282c4601428dbe
>>      
> I really do NOT understand this move.
> We had a centralized place where we could find ALL the hardened developpement.
> This was quite good, even if we could consider ~arch as a better place.
>
> Now we have to add one more overlay, containing some peace of ebuild that do
> not concern hardened at all (fprint is an other story)...
> What will be the next step ? Each dev will add his overlay ?
>
>  From the user point of view, this is becoming harder to maintain... How many
> overlays will we have to add ? With even more mess on packages that do not
> concern hardened at all...
>
>
> Please, keep ONE hardened overlay where all the devs take place !
>
>    

Obviously without knowing anything further about the move I would tend 
to agree, but perhaps:

- "anarchy" could explain the reasoning?  Most likely there is some sane 
reason for this?
- If such changes are made to the hardened project they could be 
announced to the -hardened list?


I'm rather hoping that the hardened overlay has the potential to go away 
at some point soon and all the changes absorbed into mainstream?  I get 
the impression that the size of the overlay is shrinking slowly (which 
is good in my opinion...)?

Good luck all

Ed W

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Ed W]

On 19/04/2010 20:37, Mike Edenfield wrote:
>> * The ebuilds for e.g. hardened-sources do all the patching for you,
>>    which is nice.
>>      
> And since hardened-sources is three *different* patchsets put together,
> this one alone is plenty reason for me :)
>
>    


OK, I'll bite....  I don't have an old ebuild to hand, but the one in 
"anarchy's" tree appears to be just grsec (plus some misc grsec 
patches)?  This agrees with my memory of the old ebuild, but don't have 
one to hand?

I liked some of Michael's answers, but I'm not sure about this one?

Ed W

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Mansour Moufid]

On Mon, Apr 19, 2010 at 12:53 PM, Joseph C. Lininger <jbahm@pcdesk.net> wrote:
> Hey folks,
> Has anyone else noticed that the entire hardened-sources package has
> vanished from the hardened-development overlay? I know it's a
> development overlay and all, but I figured I should mention it because
> it's just gone. All versions. It struck me as a bit odd. Any reason for
> this?

I was never a fan of overlays, so I've been doing as Ed W suggests
ever since I never received a response to my previous questions on the
subject. Back when GCC still had SSP, I didn't think delays with
hardened-sources were a big deal. But I think it's telling of the
current state of the Gentoo Hardened project that hardened-sources are
(certainly) more vulnerable than gentoo-sources, and even
vanilla-sources.

In any case, it's clear to me now that Gentoo Hardened is more a pet
project of a handful of (not very communicative) developers than it is
a serious (meta)distribution.

-- 
Mansour Moufid

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Ed W]

>> I realise everyone has different needs, but perhaps try pulling your own
>> kernel down and applying your own patches - I think it's about easier to
>> maintain in most cases?
>
> * The ebuilds for e.g. hardened-sources do all the patching for you,
>   which is nice.

Hmm, it's a very weak one, but yes ok.

> * The fact that the kernel shows up in emerge output reminds me to
>   compile a new one.

OK, big thumbs up.  Yes this is a very good reason.

> * If a kernel is marked stable in Portage, it means that test dummies
>   have been running it for a while and they survived. It also means
>   no bugs were reported regarding integration with other in-tree
>   packages.

Actually, I'm just not buying this... The size of the coverage seems 
very small compared with the much larger coverage which simply fixes the 
problem and pushes the fix upstream?

I haven't done the research, but my gut feel would be that the latest 
iteration of your chosen kernel version would be competitive with 
someone of less than Redhat size trying to backport fixes into your much 
older kernel version?  I guess it's possible, but for the time being I 
tend to vote for newer kernel vs gentoo patched older kernel...

> * Other packages in portage can require certain (versions of) kernels.
>   If you compile your own, Portage doesn't know about it.

Not buying this one either... I haven't seen this working on the small 
number of systems I have and where it looks like it's supposed to be 
working it doesn't quite seem to be working as you would like it to.  eg 
udev seems to look at running kernel version (and can't parse my 
hardened version so it keeps telling me it's too old... It also seemed 
to upgrade happily in a way which it then expected to break my 
system!!).  Nvidia seems to use a mismash, but apparently guesses 
something and falls back to the tree in /usr/src/linux and usually 
simply dies horribly if the tree isn't as it expects.  Lirc has 
literally just failed to compile for me on a certain kernel version 
requiring me to downgrade to 2.6.32 on the machine I need lirc on.

I get the theory, but I'm not seeing this one work in practice.


So basically I would agree with:

- Easier for non hackers to do the patching
- Good reminder that your kernel is out of date.

I guess I concede the ebuilds are useful, but I would kind of expect 
most people on this list to be well within the capability to build their 
own kernel, so I would still recommend anyone who has avoided doing so 
to give it a whirl first hand?

Good luck

Ed W

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Ed W]

On 20/04/2010 00:05, Mansour Moufid wrote:
> On Mon, Apr 19, 2010 at 12:53 PM, Joseph C. Lininger<jbahm@pcdesk.net>  wrote:
>    
>> Hey folks,
>> Has anyone else noticed that the entire hardened-sources package has
>> vanished from the hardened-development overlay? I know it's a
>> development overlay and all, but I figured I should mention it because
>> it's just gone. All versions. It struck me as a bit odd. Any reason for
>> this?
>>      
> I was never a fan of overlays, so I've been doing as Ed W suggests
> ever since I never received a response to my previous questions on the
> subject. Back when GCC still had SSP, I didn't think delays with
> hardened-sources were a big deal. But I think it's telling of the
> current state of the Gentoo Hardened project that hardened-sources are
> (certainly) more vulnerable than gentoo-sources, and even
> vanilla-sources.
>
> In any case, it's clear to me now that Gentoo Hardened is more a pet
> project of a handful of (not very communicative) developers than it is
> a serious (meta)distribution.
>
>    

Hmm, I think this is inflamatory and as it happens I would disagree...

Can we please avoid annoying the few developers we have working on 
hardened.  I think it's fair to say that it's a small group, but equally 
they have done a great job and really most of hardened in well catered 
for.  I even have a hardened uclibc running gcc 4.4, so I have to say a 
big thankyou to everyone who made this possible...!

I would also disagree that there are some big vulnerabilities just 
because your "stable" kernel is older.  Personally I prefer to stay a 
little more up to date, but I think there are a good may Redhat and 
Centos servers running much older kernels than that...

More to the point though the whole project is hardly in tatters because 
no one has pushed some newer version to "stable".  I suspect the stable 
version is lagging simply because the best ebuild has moved into this 
overlay and hence it cannot become the "stable" version - so stable is 
simply the last version in the main tree before the overlay became the 
development source.  Under the circumstances I think just set your 
package mask appropriately and move on?

I think gentoo hardened is a fantastic project - please lets not 
critique our few developers who continue to work on it.

Good luck

Ed W

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[klondike]

[-- Attachment #1: Type: text/plain, Size: 315 bytes --]

2010/4/20 Mansour Moufid <mansourmoufid@gmail.com>:
> In any case, it's clear to me now that Gentoo Hardened is more a pet
> project of a handful of (not very communicative) developers than it is
> a serious (meta)distribution.
I have serious doubts on what you say because I have seen those developers working.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Mansour Moufid]

On Mon, Apr 19, 2010 at 7:24 PM, Ed W <lists@wildgooses.com> wrote:
> Can we please avoid annoying the few developers we have working on hardened.

I didn't mean to come off as critiquing anyone. I am a fan of the
Gentoo Hardened and Security projects. I was only stating my
impressions.

> I would also disagree that there are some big vulnerabilities just because
> your "stable" kernel is older.  Personally I prefer to stay a little more up
> to date, but I think there are a good may Redhat and Centos servers running
> much older kernels than that...

I disagree. That is a dangerous assertion. It is no secret that most
vulnerabilities in Linux are fixed silently, without ever being
reported as such. Hence why older kernels are more vulnerable. As for
RedHat and CentOS:

   ``silently-fixing vulnerabilities
   has become standard operating procedure among the kernel developers,
   confusing even their own ranks as to what needs to be backported to
   distro kernels or the stable tree.''[1]

[1] <http://milw0rm.com/exploits/9191>

-- 
Mansour Moufid

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Anthony G Basile]

[-- Attachment #1: Type: text/plain, Size: 914 bytes --]

On Tue, 2010-04-20 at 01:35 +0200, klondike wrote:
> 2010/4/20 Mansour Moufid <mansourmoufid@gmail.com>:
> > In any case, it's clear to me now that Gentoo Hardened is more a pet
> > project of a handful of (not very communicative) developers than it is
> > a serious (meta)distribution.
> I have serious doubts on what you say because I have seen those developers working.

Thank you klondike.

Without going into details, the problem is that the overlay has drifted
far from tree and now we are working to bring the two together.  Work on
the toolchain is progressing well and should get into the tree soon ---
we have a clear plan on how to proceed.  Work on the kernel is furthest
out of sync.  I'm not certain how this will go, but I'm confident we'll
work it out.

-- 
Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Tóth Attila]

Thanks for all the dedicated developers working on the hardened project.

Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962

On Ked, Április 20, 2010 02:00, Anthony G Basile wrote:
> On Tue, 2010-04-20 at 01:35 +0200, klondike wrote:
>> 2010/4/20 Mansour Moufid <mansourmoufid@gmail.com>:
>> > In any case, it's clear to me now that Gentoo Hardened is more a pet
>> > project of a handful of (not very communicative) developers than it is
>> > a serious (meta)distribution.
>> I have serious doubts on what you say because I have seen those
>> developers working.
>
> Thank you klondike.
>
> Without going into details, the problem is that the overlay has drifted
> far from tree and now we are working to bring the two together.  Work on
> the toolchain is progressing well and should get into the tree soon ---
> we have a clear plan on how to proceed.  Work on the kernel is furthest
> out of sync.  I'm not certain how this will go, but I'm confident we'll
> work it out.
>
> --
> Anthony G. Basile, Ph.D.
> Chair of Information Technology
> D'Youville College
> Buffalo, NY 14201
> USA
>
> (716) 829-8197
>
>

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Kai Dietrich]

On Tuesday 20 April 2010 Ed W <lists@wildgooses.com> wrote:
> I guess I concede the ebuilds are useful, but I would kind of expect
> most people on this list to be well within the capability to build their
> own kernel,

Well, I can just speak for me. It's not that I'm not able to do it, it's just 
that I don't want to spend my precious time on patching kernels and figuring 
out how to solve the occasional conflicting patch.

That's basically the point of using a distro, otherwise I could use LSF.



Kai

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Darknight]

2010-04-20 07:14:57 Kai Dietrich
> On Tuesday 20 April 2010 Ed W <lists@wildgooses.com> wrote:
> > I guess I concede the ebuilds are useful, but I would kind of expect
> > most people on this list to be well within the capability to build their
> > own kernel,
> 
> Well, I can just speak for me. It's not that I'm not able to do it, it's
> just that I don't want to spend my precious time on patching kernels and
> figuring out how to solve the occasional conflicting patch.
> 
> That's basically the point of using a distro, otherwise I could use LSF.

+1, I quit devving quite some time ago because I got tired of it (and still 
haven't fully recovered) and I've never been a c/c++ dev.
The gentoo devs pretty much save my life every day with their work, I just 
want to take care of my servers (and lusers :/) and will donate rather than 
start applying non trivial patches to a big package like the kernel.

[gentoo-hardened] Re: kernel no longer in hardened-development overlay?

[Kerin Millar]

On 20/04/2010 00:43, Mansour Moufid wrote:
> On Mon, Apr 19, 2010 at 7:24 PM, Ed W<lists@wildgooses.com>  wrote:
>> Can we please avoid annoying the few developers we have working on hardened.
>
> I didn't mean to come off as critiquing anyone. I am a fan of the
> Gentoo Hardened and Security projects. I was only stating my
> impressions.
>
>> I would also disagree that there are some big vulnerabilities just because
>> your "stable" kernel is older.  Personally I prefer to stay a little more up
>> to date, but I think there are a good may Redhat and Centos servers running
>> much older kernels than that...

Except that they don't use vanilla kernels and invest considerable 
resources into the process of continually backporting fixes into their 
respective patchsets, both security related and otherwise. RHEL has a 
7-year life cycle during which introducing any potentially breaking 
changes in the kernel (or changes that may have an adverse impact on 
userspace) is simply out of the question.

>
> I disagree. That is a dangerous assertion. It is no secret that most
> vulnerabilities in Linux are fixed silently, without ever being
> reported as such. Hence why older kernels are more vulnerable. As for
> RedHat and CentOS:

Indeed. I believe that we'll be seeing a GLSA in the not-too-distant 
future which settles this argument beyond any doubt.

Cheers,

--Kerin

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Ed W]

On 20/04/2010 12:57, Darknight wrote:
> 2010-04-20 07:14:57 Kai Dietrich
>    
> start applying non trivial patches to a big package like the kernel.
>

All I'm saying is that in general your kernel patches *are* trivial to 
apply.  I know if feels scary, but in general if you are following a 
patchset then it will be built for a specific kernel release and you 
simply run patch to incorporate the changes - nothing further...

In the case of hardened-sources, I *believe* you can repro the effect 
with something like:

- wget kernel-source
- wget grsec-patch-for-given-kernel
- patch -p0 < grsec-patch-for-given-kernel

Nothing further should be required (that's all I'm doing)


However, I'm actually not trying to disuade you from using the ebuilds, 
just pointing out that it's worth breaking down the "fear" that you 
couldn't do this yourself if you needed to fairly easily

Good luck

Ed W

Re: [gentoo-hardened] kernel no longer in hardened-development overlay?

[Pavel Labushev]

20.04.2010 21:34, Ed W пишет:

> - wget kernel-source
> - wget grsec-patch-for-given-kernel
> - patch -p0 < grsec-patch-for-given-kernel
> 
> Nothing further should be required (that's all I'm doing)

Don't you gpg --verify the grsec patch, btw? ;)

Re: [gentoo-hardened] Re: kernel no longer in hardened-development overlay?

[David Sommerseth]

On 20/04/10 14:36, Kerin Millar wrote:
>>> I would also disagree that there are some big vulnerabilities just
>>> because
>>> your "stable" kernel is older.  Personally I prefer to stay a little
>>> more up
>>> to date, but I think there are a good may Redhat and Centos servers
>>> running
>>> much older kernels than that...
> 
> Except that they don't use vanilla kernels and invest considerable
> resources into the process of continually backporting fixes into their
> respective patchsets, both security related and otherwise. RHEL has a
> 7-year life cycle during which introducing any potentially breaking
> changes in the kernel (or changes that may have an adverse impact on
> userspace) is simply out of the question.

Kerin is very much right.  The RHEL/CentOS kernels do have a lot of
backports from newer kernels.  But it's not only security or bug fixes.
 It's updated drivers and other hardware enablements as well, in
addition to new features.  RHEL5.4 introduced fully Red Hat supported
KVM, something which was just beyond imagination when the first RHEL5
release came with 2.6.18.  And it still is a 2.6.18 *based* kernel
today.  But feature-wise, it's a much more modern kernel.

But in reality, it is not fair to call it a 2.6.18 kernel [1], just
because of the enormous amount of backports.  And those backports are
not allowed to change kABI (kernel application binary interface, which
f.ex glibc and all modules uses) at all, so that all applications and
services which got installed when installing the first RHEL5.0 was
installed, should still work for the next 7 years - guaranteed.

The Gentoo Hardened project will never be able to really manage that, as
Gentoo is not aiming to be an enterprise level distribution like RHEL,
CentOS or Novell SLES.  So comparing the kernels between Gentoo and
enterprise Linux kernels are not a fair comparison at all.


kind regards,

David Sommerseth


[1] <http://www.channelregister.co.uk/2010/03/31/redhat_rhel_5_5/>