From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 59F3C139694 for ; Fri, 23 Jun 2017 16:28:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F336223402F; Fri, 23 Jun 2017 16:28:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 71325E0D14; Fri, 23 Jun 2017 16:28:32 +0000 (UTC) Received: from Anthonys-MacBook-Pro.local (cpe-67-247-195-186.buffalo.res.rr.com [67.247.195.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: blueness) by smtp.gentoo.org (Postfix) with ESMTPSA id 7F7ED341989; Fri, 23 Jun 2017 16:28:30 +0000 (UTC) To: Gentoo Development , Gentoo project list , gentoo-hardened@lists.gentoo.org From: "Anthony G. Basile" Subject: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream Message-ID: Date: Fri, 23 Jun 2017 12:28:27 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: 51fbd975-4187-40a5-a7a5-d742b6ce5b5c X-Archives-Hash: 5bb2e3ac0a30cb078a77898f6d5cdbcd Hi everyone, Since late April, grsecurity upstream has stop making their patches available publicly. Without going into details, the reason for their decision revolves around disputes about how their patches were being (ab)used. Since the grsecurity patch formed the main core of our hardened-sources kernel, their decision has serious repercussions for the Hardened Gentoo project. I will no longer be able to support hardened-sources and will have to eventually mask and remove it from the tree. Hardened Gentoo has two sides to it, kernel hardening (done via hardened-sources) and toolchain/executable hardening. The two are interrelated but independent enough that toolchain hardening can continue on its own. The hardened kernel, however, provided PaX protection for executables and this will be lost. We did a lot of work to properly maintain PaX markings in our package management system and there was no part of Gentoo that wasn't touched by issues stemming from PaX support. I waited two months before saying anything because the reasons were more of a political nature than some technical issue. At this point, I think its time to let the community know about the state of affairs with hardened-sources. I can no longer get into the #grsecurity/OFTC channel (nothing personal, they kicked everyone), and so I have not spoken to spengler or pipacs. I don't know if they will ever release grsecurity patches again. My plan then is as follows. I'll wait one more month and then send out a news item and later mask hardened-sources for removal. I don't recommend we remove any of the machinery from Gentoo that deals with PaX markings. I welcome feedback. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA