From: Alice Ferrazzi <alicef@gentoo.org>
To: gentoo Project mailinglist <gentoo-project@lists.gentoo.org>
Cc: Gentoo Development <gentoo-dev@lists.gentoo.org>,
gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
Date: Sat, 24 Jun 2017 03:54:25 +0900 [thread overview]
Message-ID: <CANWzcUoffN2+2W5VCFE6RsRXVErQyM9f3vSe-wPHOgd20151kA@mail.gmail.com> (raw)
In-Reply-To: <ea98b420-db01-4b70-68a3-f8f9a3f8b9cf@gentoo.org>
On Sat, Jun 24, 2017 at 1:28 AM, Anthony G. Basile <blueness@gentoo.org> wrote:
>
> Hi everyone,
>
> Since late April, grsecurity upstream has stop making their patches
> available publicly. Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
>
> Since the grsecurity patch formed the main core of our hardened-sources
> kernel, their decision has serious repercussions for the Hardened Gentoo
> project. I will no longer be able to support hardened-sources and will
> have to eventually mask and remove it from the tree.
>
> Hardened Gentoo has two sides to it, kernel hardening (done via
> hardened-sources) and toolchain/executable hardening. The two are
> interrelated but independent enough that toolchain hardening can
> continue on its own. The hardened kernel, however, provided PaX
> protection for executables and this will be lost. We did a lot of work
> to properly maintain PaX markings in our package management system and
> there was no part of Gentoo that wasn't touched by issues stemming from
> PaX support.
>
> I waited two months before saying anything because the reasons were more
> of a political nature than some technical issue. At this point, I think
> its time to let the community know about the state of affairs with
> hardened-sources.
>
> I can no longer get into the #grsecurity/OFTC channel (nothing personal,
> they kicked everyone), and so I have not spoken to spengler or pipacs.
> I don't know if they will ever release grsecurity patches again.
>
> My plan then is as follows. I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
>
> I welcome feedback.
>
As we already contribute to grsec in the past,
would be sad to see hardened-sources go away.
What about the possibility of Gentoo forking PaX ?
--
Thanks,
Alice Ferrazzi
Gentoo Kernel Project Leader
Mail: Alice Ferrazzi <alicef@gentoo.org>
PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
next prev parent reply other threads:[~2017-06-23 18:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-23 16:28 [gentoo-project] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
2017-06-23 17:27 ` William L. Thomson Jr.
2017-06-23 17:49 ` Toralf Förster
2017-06-23 18:08 ` Mike Gilbert
2017-06-23 18:47 ` Michael Orlitzky
2017-06-23 18:04 ` NP-Hardass
2017-06-23 18:54 ` Alice Ferrazzi [this message]
2017-06-23 20:46 ` Sergei Trofimovich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANWzcUoffN2+2W5VCFE6RsRXVErQyM9f3vSe-wPHOgd20151kA@mail.gmail.com \
--to=alicef@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
--cc=gentoo-hardened@lists.gentoo.org \
--cc=gentoo-project@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox