From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7084E139694 for ; Sat, 29 Apr 2017 15:56:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9C54FE0BF4; Sat, 29 Apr 2017 15:56:32 +0000 (UTC) Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5FFDDE0BE9 for ; Sat, 29 Apr 2017 15:56:32 +0000 (UTC) Received: by mail-vk0-x230.google.com with SMTP id o76so20691548vkc.2 for ; Sat, 29 Apr 2017 08:56:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=/UwJ87xeqYxPaGsAi6qPDsgOkQZ4Vypk8msgb9w48Wg=; b=d1WZX+R0oXJ8fCcwiGAnAcOlFM4nMw9YXgPys+/qkZDqFW4wdK5zElBKDteVnmZGaG I3stgxMZu4W0AYwQUMoql4cSl6fzuSAP8WSQhXxlRH0FR38swKN0OKwddYtz712oKoRr RLeqwTz/I6TdKlEWtzC0OgdobXQstpIqx9qGlpV7Wlhw62lzzB3Y0lV+3KoqEuKxR4Ag /kkim9WWg8IIXAFYfMqF/sb/wtgRGxUowe8ffiIrDFmhK2EsMIrceduDLBAZkYIg/95R M3x3+AguON0WT+LUTFeOVWkOGhs/d7GH5mpVN5m5HpgPhxxY5gS0KTZZ4nBV1b5aBtmp Kq7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=/UwJ87xeqYxPaGsAi6qPDsgOkQZ4Vypk8msgb9w48Wg=; b=LpK+FGAuIVKQ0tl14ua8JBjv+p+Wwo4C1wu/N6ropnmKsomlGjUbe443mzkCk/GGsm vW4LEMBbBbXaEliTYUUvuKe63EY+WZkxfHEQpSbPH/qLhMbP9D92RAoY+jwXiqd5uLEU rANHt1b6q6q0afRwKAVshRjhop2yFzcx/HspnwVaYRzpSYaWh178o94FDY1wBa1wbF4G CHD00HeRTdiWjqqZ7kNhQ/IeqLrVkzRrSxAV3rlF1BgQ6HrB0rOSnSBBxA5CUA2tGMSw ML85gIwymeHIM4GLRR2VEUfS88PQpkN2pgwG+10v72SkShR8tlBKaCi5oc3v0t8X2lav SNDA== X-Gm-Message-State: AN3rC/6MKvdHbYxYJPbXNWojJWG05GRGIMsi7FujFaAvdZ/INQPAnDyF 14RBgu1DctIiWlQYY9/q2flZsjIu3JCglrk= X-Received: by 10.31.8.144 with SMTP id 138mr7911378vki.144.1493481391375; Sat, 29 Apr 2017 08:56:31 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.159.37.129 with HTTP; Sat, 29 Apr 2017 08:56:10 -0700 (PDT) In-Reply-To: <20170429124744.GP28917@home.power> References: <20170429134920.1b6be250@gentp.lnet> <20170429124744.GP28917@home.power> From: =?UTF-8?Q?Daniel_Cegie=C5=82ka?= Date: Sat, 29 Apr 2017 17:56:10 +0200 Message-ID: Subject: Re: [gentoo-hardened] RIP hardened-sources To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 2df86d59-15a5-4628-a313-58da5b34a633 X-Archives-Hash: 97ccd6d5eb7f94c3cce2ac48ed41a7bb 2017-04-29 14:47 GMT+02:00 Alex Efros : > Hi! > > On Sat, Apr 29, 2017 at 01:49:20PM +0200, Luis Ressel wrote: >> I suppose we all just grudgingly switch over to gentoo-sources? > > I wonder for how long time current kernel with grsec will be more safe an= d > protected against new exploits than up-to-date gentoo-sources=E2=80=A6 > Something new in security: avoid updates to have better protection. It's not about grsecurity, it's about PaX. This was the basic layer of protection. Gentoo Hardened has spent years working to provide PaX support in userland. It was the core of this project. Alpine Linux and others are also based on PaX. After years of building _trust_, it all disappears overnight. You can use Grsecurity, you can use SELinux, you can use RSBAC, but you do not have a good alternative for PaX. And this is an existential problem for all these projects. By the way, I don't know what the Gentoo Hardened or Alpine Linux have done wrong, that now are left out in the cold. Instead of complaining, we have to decide what to do next. In my opinion, it is critical to maintain support for PaX* for future kernels. It will not be easy, so I'm right away saying that Gentoo Hardened, Alpine Linux etc. should join forces in realizing this project. I think there will be more people who will be interested in... * https://www.grsecurity.net/~paxguy1/ Daniel