From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 935DC139694 for ; Mon, 1 May 2017 10:24:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8CC9DE0DFE; Mon, 1 May 2017 10:24:36 +0000 (UTC) Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 46D2EE0DF3 for ; Mon, 1 May 2017 10:24:36 +0000 (UTC) Received: by mail-vk0-x235.google.com with SMTP id k4so57197694vki.1 for ; Mon, 01 May 2017 03:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=lrpQZ+xFk7mmWdouGbHDSC2YQsJkorUBZULuCgwe2Tw=; b=PrzU6ed8Xg5j4MCNp4TyVZHd0n9cP/k1B8tMxrBvm3s/+DnAZBby+LySqBdVrhGqEj 0EVKccp+QQhtfiINVJYgkOXGvyuIN3pPEP4LdbBzgH0hnAoSvI0obplUqkmSTRcWlLdf Kc+eq7Qz7jhN8OqVam3LP73sW4Lwe9r0hxrKwoO+sp+irqWdVe/7heghSe5uA0bcNbCG oCYXFu6Mtg4zUvgBdg1Dl9jgKnzwp1O901MG+EQJSKExepbjWs4/005sJUs5LYeWmLG0 yEzTg28WpvauHavffnPfrt7T5E35TzRaf4zy7i31q3fKcT4WspLf8NdLLr1Nenc1uZ/i yd1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=lrpQZ+xFk7mmWdouGbHDSC2YQsJkorUBZULuCgwe2Tw=; b=Vgq4tLR2C6++6UxyKq4lVWpi0ibqUbtUkUkKex/N7EJiuEs5vPC0tHz/+jGcS5Bb9u sU4c23Y5jD6run7Zt/P7erDeX6LM2c0KX7r3j7AA/yOVEOAVXudzr6JF1xz37Fc6i7oK qD1peS3q6zJn0G3bGaJRMO/XjLrTl7x9Z2e9G0vHJ0g9rHF48evY5deu64TUBNVBx7r1 LumPjHvOBzQh74YFwh3ZoqT69ukzEJgVo/Js6ALDYqGZGw+GN80BnBVMjQBCIKxaDcr5 tiRc61zdSHRdL4ghHU/T6BcgIqIvhB7xQ6FpvIBT2o+Kiz1yQDANSVAXeuFdYG59l/tG jFJQ== X-Gm-Message-State: AN3rC/5fM25O8PEGo3KS+FKgC5my0HOBtqUapCDjN4Ygb3yhObWKQqFY wQRlGGspOEzsD6zZulU6+DZBPKtR+4lc X-Received: by 10.31.191.9 with SMTP id p9mr11269092vkf.50.1493634275211; Mon, 01 May 2017 03:24:35 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.159.37.129 with HTTP; Mon, 1 May 2017 03:24:14 -0700 (PDT) In-Reply-To: <20170501093843.GA927@gentoo.org> References: <20170501093843.GA927@gentoo.org> From: =?UTF-8?Q?Daniel_Cegie=C5=82ka?= Date: Mon, 1 May 2017 12:24:14 +0200 Message-ID: Subject: Re: [gentoo-hardened] Technical repercussions of grsecurity removal To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: 6962f090-7b76-4ad0-a4a6-096bc9294cf0 X-Archives-Hash: 5757c36593f2c105e7b14e7aad333dec 2017-05-01 11:38 GMT+02:00 Sven Vermeulen : > Hi all, > > There is a nice debate ongoing on the mailinglist [1] on the topic of > grsecurity's recent decision to no longer provide the test patches to the > public. I'd like to keep the debate on the rationale of it in that > discussion, but focus here on what we, from Gentoo Hardened, now need to do > or which direction we're going to move forward with. > > [1] > https://archives.gentoo.org/gentoo-hardened/message/a06145056b167f52c079bffd9c9a51ac > > The obvious step is indeed to stop further *current* development on > hardened-sources. I don't know how many additional patchsets are being > implemented in it (blueness? Zorry?) so I don't know if it means that > hardened-sources in total is done with or not. Hi, I have already written my opinion: https://archives.gentoo.org/gentoo-hardened/message/97ccd6d5eb7f94c3cce2ac48ed41a7bb https://archives.gentoo.org/gentoo-hardened/message/139ab72c413b2b83e08c948b061882bf Summing up: * PaX is the most important part of Gentoo Hardened project (Grsecurity, SELinux, RSBAC) * We can't use the 'grsecurity' name, which means that fork of grsecurity == rewriting everything with 'grsecurity' (or 'grsec') name... (~225k LOC grsec+PaX) * PaX (~176k LOC) is available as a separate patch (1), so we can use it without the risk of 'grsecurity' trademark My opinion is: we should continue to use PaX patch and keep the Gentoo Hardened project alive. (1) https://www.grsecurity.net/~paxguy1/ Daniel