public inbox for gentoo-project@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Anthony G. Basile" <blueness@gentoo.org>
To: Gentoo Development <gentoo-dev@lists.gentoo.org>,
	Gentoo project list <gentoo-project@lists.gentoo.org>,
	gentoo-hardened@lists.gentoo.org
Subject: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
Date: Fri, 23 Jun 2017 12:28:27 -0400	[thread overview]
Message-ID: <ea98b420-db01-4b70-68a3-f8f9a3f8b9cf@gentoo.org> (raw)

Hi everyone,

Since late April, grsecurity upstream has stop making their patches
available publicly.  Without going into details, the reason for their
decision revolves around disputes about how their patches were being
(ab)used.

Since the grsecurity patch formed the main core of our hardened-sources
kernel, their decision has serious repercussions for the Hardened Gentoo
project.  I will no longer be able to support hardened-sources and will
have to eventually mask and remove it from the tree.

Hardened Gentoo has two sides to it, kernel hardening (done via
hardened-sources) and toolchain/executable hardening.  The two are
interrelated but independent enough that toolchain hardening can
continue on its own.  The hardened kernel, however, provided PaX
protection for executables and this will be lost.  We did a lot of work
to properly maintain PaX markings in our package management system and
there was no part of Gentoo that wasn't touched by issues stemming from
PaX support.

I waited two months before saying anything because the reasons were more
of a political nature than some technical issue.  At this point, I think
its time to let the community know about the state of affairs with
hardened-sources.

I can no longer get into the #grsecurity/OFTC channel (nothing personal,
they kicked everyone), and so I have not spoken to spengler or pipacs.
I don't know if they will ever release grsecurity patches again.

My plan then is as follows.  I'll wait one more month and then send out
a news item and later mask hardened-sources for removal.  I don't
recommend we remove any of the machinery from Gentoo that deals with PaX
markings.

I welcome feedback.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA


             reply	other threads:[~2017-06-23 16:28 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-23 16:28 Anthony G. Basile [this message]
2017-06-23 17:27 ` [gentoo-project] The status of grsecurity upstream and hardened-sources downstream William L. Thomson Jr.
2017-06-23 17:49 ` Toralf Förster
2017-06-23 18:08   ` Mike Gilbert
2017-06-23 18:47   ` Michael Orlitzky
2017-06-23 18:04 ` NP-Hardass
2017-06-23 18:54 ` Alice Ferrazzi
2017-06-23 20:46 ` Sergei Trofimovich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ea98b420-db01-4b70-68a3-f8f9a3f8b9cf@gentoo.org \
    --to=blueness@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    --cc=gentoo-hardened@lists.gentoo.org \
    --cc=gentoo-project@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox