From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 69910139694 for ; Fri, 23 Jun 2017 18:54:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0F9CA23402C; Fri, 23 Jun 2017 18:54:31 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8650623401E; Fri, 23 Jun 2017 18:54:29 +0000 (UTC) Received: from mail-yw0-f176.google.com (mail-yw0-f176.google.com [209.85.161.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alicef) by smtp.gentoo.org (Postfix) with ESMTPSA id 6612C341A12; Fri, 23 Jun 2017 18:54:28 +0000 (UTC) Received: by mail-yw0-f176.google.com with SMTP id j11so214956ywa.2; Fri, 23 Jun 2017 11:54:28 -0700 (PDT) X-Gm-Message-State: AKS2vOxi4BY6ag5Vd+PCtpWLGGdlqTYPOtlri9NT386dBEmaqrvAIvmv KBDT8MD1TjKB7Szx0LBv5/eJKUsAow== X-Received: by 10.13.246.7 with SMTP id g7mr6822776ywf.20.1498244066265; Fri, 23 Jun 2017 11:54:26 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 Received: by 10.37.170.16 with HTTP; Fri, 23 Jun 2017 11:54:25 -0700 (PDT) In-Reply-To: References: From: Alice Ferrazzi Date: Sat, 24 Jun 2017 03:54:25 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream To: gentoo Project mailinglist Cc: Gentoo Development , gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 70a26b01-9c6f-409e-94d4-f1002c80de6b X-Archives-Hash: ce22a6db7849f29d9caa884b5d00fd65 On Sat, Jun 24, 2017 at 1:28 AM, Anthony G. Basile wrote: > > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources > kernel, their decision has serious repercussions for the Hardened Gentoo > project. I will no longer be able to support hardened-sources and will > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from > PaX support. > > I waited two months before saying anything because the reasons were more > of a political nature than some technical issue. At this point, I think > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal, > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. > > I welcome feedback. > As we already contribute to grsec in the past, would be sad to see hardened-sources go away. What about the possibility of Gentoo forking PaX ? -- Thanks, Alice Ferrazzi Gentoo Kernel Project Leader Mail: Alice Ferrazzi PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A