public inbox for gentoo-project@lists.gentoo.org
 help / color / mirror / Atom feed
From: NP-Hardass <NP-Hardass@gentoo.org>
To: gentoo-project@lists.gentoo.org
Subject: Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
Date: Fri, 23 Jun 2017 14:04:20 -0400	[thread overview]
Message-ID: <fbeba8e1-d9ef-942c-9adb-93e4cffebb32@gentoo.org> (raw)
In-Reply-To: <ea98b420-db01-4b70-68a3-f8f9a3f8b9cf@gentoo.org>


[-- Attachment #1.1: Type: text/plain, Size: 3114 bytes --]

On 06/23/2017 12:28 PM, Anthony G. Basile wrote:
> Hi everyone,
> 
> Since late April, grsecurity upstream has stop making their patches
> available publicly.  Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
> 
> Since the grsecurity patch formed the main core of our hardened-sources
> kernel, their decision has serious repercussions for the Hardened Gentoo
> project.  I will no longer be able to support hardened-sources and will
> have to eventually mask and remove it from the tree.
> 
> Hardened Gentoo has two sides to it, kernel hardening (done via
> hardened-sources) and toolchain/executable hardening.  The two are
> interrelated but independent enough that toolchain hardening can
> continue on its own.  The hardened kernel, however, provided PaX
> protection for executables and this will be lost.  We did a lot of work
> to properly maintain PaX markings in our package management system and
> there was no part of Gentoo that wasn't touched by issues stemming from
> PaX support.
> 
> I waited two months before saying anything because the reasons were more
> of a political nature than some technical issue.  At this point, I think
> its time to let the community know about the state of affairs with
> hardened-sources.
> 
> I can no longer get into the #grsecurity/OFTC channel (nothing personal,
> they kicked everyone), and so I have not spoken to spengler or pipacs.
> I don't know if they will ever release grsecurity patches again.
> 
> My plan then is as follows.  I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.  I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
> 
> I welcome feedback.
> 

Thoughts on using this [1] unofficial fork?  At the moment, looks like
it is up to date with the 4.9.x branch (ported up to 4.9.33, last
official release is 4.9.24).  It should be noted, however, that the
maintainer has stated that the intention is forward porting and
bug-fixing, not new feature development.  Is it worth contacting the
maintainer to find out whether the intention is to support other
branches in the future?

Obviously using an unofficial fork should come with a big warning, but I
think it is worth considering keeping an option available to those that
want it.

There may be other forks but that's the only one I've come across since
upstream stopped publishing publicly.

As a personal aside, I think our support of grsec in the past has been a
major asset for the distro, and I'd prefer to see us maintain that asset
via an unofficial port, if possible.

On a slightly more off topic note, I must say, from my reading of
changelogs, bug reports, and forum posts, I think it is a shame that
we've been cut off with no real special consideration, given how much it
appears that Gentoo was involved in the feedback and improvement process
for grsec.

-- 
NP-Hardass

[1] https://github.com/minipli/linux-unofficial_grsec/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  parent reply	other threads:[~2017-06-23 18:04 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-23 16:28 [gentoo-project] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
2017-06-23 17:27 ` William L. Thomson Jr.
2017-06-23 17:49 ` Toralf Förster
2017-06-23 18:08   ` Mike Gilbert
2017-06-23 18:47   ` Michael Orlitzky
2017-06-23 18:04 ` NP-Hardass [this message]
2017-06-23 18:54 ` Alice Ferrazzi
2017-06-23 20:46 ` Sergei Trofimovich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fbeba8e1-d9ef-942c-9adb-93e4cffebb32@gentoo.org \
    --to=np-hardass@gentoo.org \
    --cc=gentoo-project@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox