From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 37D66139694 for ; Fri, 23 Jun 2017 18:04:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 26B57234069; Fri, 23 Jun 2017 18:04:27 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DFA4A234054 for ; Fri, 23 Jun 2017 18:04:26 +0000 (UTC) Received: from [192.168.10.30] (ool-4571a227.dyn.optonline.net [69.113.162.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: NP-Hardass) by smtp.gentoo.org (Postfix) with ESMTPSA id AA4AB341A1A for ; Fri, 23 Jun 2017 18:04:25 +0000 (UTC) Subject: Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream To: gentoo-project@lists.gentoo.org References: From: NP-Hardass Openpgp: id=862040BE422755F27FDE13D5671C52F118F89C67; url=https://sks-keyservers.net/pks/lookup?op=get&search=0x671C52F118F89C67 Message-ID: Date: Fri, 23 Jun 2017 14:04:20 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HDmx9d3GWo2WQ461LeENdQusbDCLORs53" X-Archives-Salt: 77ceff8f-7408-4ce7-88ae-ccb73dab0594 X-Archives-Hash: 43dea983a0c54f4c5ba9d5fdc670d573 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HDmx9d3GWo2WQ461LeENdQusbDCLORs53 Content-Type: multipart/mixed; boundary="X0aaUvjffBKRcflNcNGoWthoHKkHgjcef"; protected-headers="v1" From: NP-Hardass To: gentoo-project@lists.gentoo.org Message-ID: Subject: Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream References: In-Reply-To: --X0aaUvjffBKRcflNcNGoWthoHKkHgjcef Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 06/23/2017 12:28 PM, Anthony G. Basile wrote: > Hi everyone, >=20 > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. >=20 > Since the grsecurity patch formed the main core of our hardened-sources= > kernel, their decision has serious repercussions for the Hardened Gento= o > project. I will no longer be able to support hardened-sources and will= > have to eventually mask and remove it from the tree. >=20 > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work= > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from= > PaX support. >=20 > I waited two months before saying anything because the reasons were mor= e > of a political nature than some technical issue. At this point, I thin= k > its time to let the community know about the state of affairs with > hardened-sources. >=20 > I can no longer get into the #grsecurity/OFTC channel (nothing personal= , > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. >=20 > My plan then is as follows. I'll wait one more month and then send out= > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with Pa= X > markings. >=20 > I welcome feedback. >=20 Thoughts on using this [1] unofficial fork? At the moment, looks like it is up to date with the 4.9.x branch (ported up to 4.9.33, last official release is 4.9.24). It should be noted, however, that the maintainer has stated that the intention is forward porting and bug-fixing, not new feature development. Is it worth contacting the maintainer to find out whether the intention is to support other branches in the future? Obviously using an unofficial fork should come with a big warning, but I think it is worth considering keeping an option available to those that want it. There may be other forks but that's the only one I've come across since upstream stopped publishing publicly. As a personal aside, I think our support of grsec in the past has been a major asset for the distro, and I'd prefer to see us maintain that asset via an unofficial port, if possible. On a slightly more off topic note, I must say, from my reading of changelogs, bug reports, and forum posts, I think it is a shame that we've been cut off with no real special consideration, given how much it appears that Gentoo was involved in the feedback and improvement process for grsec. --=20 NP-Hardass [1] https://github.com/minipli/linux-unofficial_grsec/ --X0aaUvjffBKRcflNcNGoWthoHKkHgjcef-- --HDmx9d3GWo2WQ461LeENdQusbDCLORs53 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEv526yLNI+t7RHfJZHNlBHbKvGPsFAllNWCQACgkQHNlBHbKv GPtt2g/9G+myFP9ShBldNO1oqDFCfmKaGntDq1M/8mb1a19pqZKhS5td+66yw/AU blvyEw5W9Z+2ah4Bg4/PO5CHLoRqNfdwpvD4sLMoOv33Ksl54H3Z4j3+uLv07rHL 2sQDrmZ/lyau93yOeEEuNbW4PkURa5HAgxgK/kxDKnn3p2xehDZRha7LwxMgvVU6 YC3rv6dpoyEmX41UVhtgk8Zr8kMZXDz/NO7/q70V4+8Mr1dVd9g3AKlp+xNI3ILt uBIdoNfAL4NeWuPTsvEgtORy9LFAOOWcU/zXMRl4SILIDTkU9kqCMXSz3AZqBYGa 3W6JBviPXT/6pZDrkMy7GoquF8aU8C+Nc0CO1wplAaZbHiOO/IfKy55sCUvAj1ro SIoQfp5mzdOtDU0y593o6lDRP/1CWOaX9fCOhFbxgBuZCX745X/0RWskkDzhYl62 7DoHslPm8JrYnVB2SoxqY3BAQjBeBmi7Ed/8fb0qMWbHiy7pHWkMMeEVBSURBhvL f31cpq+aNO8vhNEicAnLfypEj4PeFpK5OS1WloBgQc0UON+tTp1opRsqPuE/iDTD MwkDnwpJmG6lBlFf0RM8Io8kQAadFh8m5hK4E4TitQaZDUEtdIu8gO7vEN/ra1sV E6ERVqM87rw6fdg+LdqazOxNUTzVOSRHdHPE0AhsOQECQR8fj58= =EDUB -----END PGP SIGNATURE----- --HDmx9d3GWo2WQ461LeENdQusbDCLORs53--