From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9DCD51399E6 for ; Fri, 4 Sep 2015 11:33:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2FF48143A0; Fri, 4 Sep 2015 11:33:40 +0000 (UTC) Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 474C014363 for ; Fri, 4 Sep 2015 11:33:39 +0000 (UTC) Received: from dovecot03.posteo.de (dovecot03.posteo.de [172.16.0.13]) by mout01.posteo.de (Postfix) with ESMTPS id 425E4209B7 for ; Fri, 4 Sep 2015 13:33:36 +0200 (CEST) Received: from mail.posteo.de (localhost [127.0.0.1]) by dovecot03.posteo.de (Postfix) with ESMTPSA id 3n6xhv6WMmz5vMw for ; Fri, 4 Sep 2015 13:33:35 +0200 (CEST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 04 Sep 2015 13:33:35 +0200 From: philipp.ammann@posteo.de To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] The state of grsecurity in gentoo In-Reply-To: <20150903210855.GE5210@schiffbauer.net> References: <55E7202D.7080402@opensource.dyc.edu> <20150903192826.GF30362@schiffbauer.net> <55E8A3AB.1010703@gentoo.org> <20150903210855.GE5210@schiffbauer.net> Message-ID: X-Sender: philipp.ammann@posteo.de User-Agent: Posteo Webmail X-Archives-Salt: 24d234fc-1d2c-4fb8-8dad-6949e12d3599 X-Archives-Hash: a322d9be41e231b44f1eec1f2ff80da1 Am 03.09.2015 23:08 schrieb Marc Schiffbauer: > * Matthew Thode schrieb am 03.09.15 um 21:46 Uhr: >> On 09/03/2015 02:28 PM, Marc Schiffbauer wrote: >> > * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr: >> >> Hi everyone, >> >> >> >> So by now most people have heard the news that the Grsecurity/PaX team >> >> are no longer going to be making their stable patches available. The >> >> reason is that they are in dispute with a certain embedded systems >> >> vendor and those negotiations broke down. So they decided to make their >> >> stable patches only available to the sponsors. [1] >> >> >> >> What does this mean for Gentoo? Up until now I have been maintaining >> >> both the grsec upstream stable and testing patchsets in our >> >> hardened-sources. Currently the upstream stable kernels are 3.2.71 and >> >> 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and >> >> 3.14.51 patchsets will no longer be available and I'll continue pushing >> >> out the 4.1.6. Unfortunately the testing patchset is precisely as the >> >> name suggests --- for testing and not production. For the embedded >> >> systems company this will be the kiss of death because those patches are >> >> not suitable for long term. For Gentoo it will mean that I will have to >> >> be more vigilant about bugs and trying to stick with a well known kernel >> >> before moving on. You can still use these kernels in production, but >> >> you must be carefull about instabilities as upstream pushes out >> >> experimental feature that may oops or panic. Keep older kernel images >> >> around and revert if it doesn't work. Look to this list for >> >> announcements about more serious issues like things that can cause data >> >> loss. >> >> >> >> I'm hoping that once this company feels the sting of what has just >> >> happened, they'll come back to the table and talk with Grsec/PaX people. >> >> They won't be able to ship boards with grsec anymore because its not so >> >> easy to switch out a kernel on a board! If they ship a board with a >> >> bug, they loose. We just reboot :) >> >> >> >> [1] https://grsecurity.net/ >> > >> > Can't Gentoo be a sponsor? I think we could easly croudfund a >> > sponsorship. >> > >> > This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just >> > use the gentoo kernel if they not already did so. >> > >> > Thoughts? >> > >> We can't do that because it would make the LTS patches public, which >> spender is trying to avoid. > > True and what I wanted to say with the OTOH part. But doesn't this > apply > to any sponsor? I mean we are talking about GPL'ed Software... does the > GPL permit to distribute source under some kind of NDA? > > I fully respect their decision but I hope things will be back to normal > again soon. > No you can't override the GPL with an NDA. But a sponsor - who is selling products based on grsecurity - is not required to make the code available to the general public, only to the customer who pays for the product. They're also not required to make their /patches/ available, only the complete source. So even if you get the sources from a customer (or you buy the product yourself), you would have to diff the code against a vanilla kernel - and then you only get a huge patch that includes *all* changes. Extracting just the grsecurity patch from that is complicated and error prone. You'll probably run into less bugs if you just stick to the public testing patches. Philipp