From: "Anthony G. Basile" <blueness@gentoo.org>
To: Gentoo Development <gentoo-dev@lists.gentoo.org>,
Gentoo project list <gentoo-project@lists.gentoo.org>,
gentoo-hardened@lists.gentoo.org
Subject: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
Date: Fri, 23 Jun 2017 12:28:27 -0400 [thread overview]
Message-ID: <ea98b420-db01-4b70-68a3-f8f9a3f8b9cf@gentoo.org> (raw)
Hi everyone,
Since late April, grsecurity upstream has stop making their patches
available publicly. Without going into details, the reason for their
decision revolves around disputes about how their patches were being
(ab)used.
Since the grsecurity patch formed the main core of our hardened-sources
kernel, their decision has serious repercussions for the Hardened Gentoo
project. I will no longer be able to support hardened-sources and will
have to eventually mask and remove it from the tree.
Hardened Gentoo has two sides to it, kernel hardening (done via
hardened-sources) and toolchain/executable hardening. The two are
interrelated but independent enough that toolchain hardening can
continue on its own. The hardened kernel, however, provided PaX
protection for executables and this will be lost. We did a lot of work
to properly maintain PaX markings in our package management system and
there was no part of Gentoo that wasn't touched by issues stemming from
PaX support.
I waited two months before saying anything because the reasons were more
of a political nature than some technical issue. At this point, I think
its time to let the community know about the state of affairs with
hardened-sources.
I can no longer get into the #grsecurity/OFTC channel (nothing personal,
they kicked everyone), and so I have not spoken to spengler or pipacs.
I don't know if they will ever release grsecurity patches again.
My plan then is as follows. I'll wait one more month and then send out
a news item and later mask hardened-sources for removal. I don't
recommend we remove any of the machinery from Gentoo that deals with PaX
markings.
I welcome feedback.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
next reply other threads:[~2017-06-23 16:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-23 16:28 Anthony G. Basile [this message]
2017-06-23 17:27 ` [gentoo-project] The status of grsecurity upstream and hardened-sources downstream William L. Thomson Jr.
2017-06-23 17:49 ` Toralf Förster
2017-06-23 18:08 ` Mike Gilbert
2017-06-23 18:47 ` Michael Orlitzky
2017-06-23 18:04 ` NP-Hardass
2017-06-23 18:54 ` Alice Ferrazzi
2017-06-23 20:46 ` Sergei Trofimovich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea98b420-db01-4b70-68a3-f8f9a3f8b9cf@gentoo.org \
--to=blueness@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
--cc=gentoo-hardened@lists.gentoo.org \
--cc=gentoo-project@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox