| 1 |
2017-04-29 14:47 GMT+02:00 Alex Efros <powerman@××××××××.name>: |
| 2 |
> Hi! |
| 3 |
> |
| 4 |
> On Sat, Apr 29, 2017 at 01:49:20PM +0200, Luis Ressel wrote: |
| 5 |
>> I suppose we all just grudgingly switch over to gentoo-sources? |
| 6 |
> |
| 7 |
> I wonder for how long time current kernel with grsec will be more safe and |
| 8 |
> protected against new exploits than up-to-date gentoo-sources… |
| 9 |
> Something new in security: avoid updates to have better protection. |
| 10 |
|
| 11 |
It's not about grsecurity, it's about PaX. This was the basic layer |
| 12 |
of protection. Gentoo Hardened has spent years working to provide PaX |
| 13 |
support in userland. It was the core of this project. Alpine Linux and |
| 14 |
others are also based on PaX. After years of building _trust_, it all |
| 15 |
disappears overnight. You can use Grsecurity, you can use SELinux, you |
| 16 |
can use RSBAC, but you do not have a good alternative for PaX. And |
| 17 |
this is an existential problem for all these projects. By the way, I |
| 18 |
don't know what the Gentoo Hardened or Alpine Linux have done wrong, |
| 19 |
that now are left out in the cold. |
| 20 |
|
| 21 |
Instead of complaining, we have to decide what to do next. In my |
| 22 |
opinion, it is critical to maintain support for PaX* for future |
| 23 |
kernels. It will not be easy, so I'm right away saying that Gentoo |
| 24 |
Hardened, Alpine Linux etc. should join forces in realizing this |
| 25 |
project. I think there will be more people who will be interested |
| 26 |
in... |
| 27 |
|
| 28 |
* https://www.grsecurity.net/~paxguy1/ |
| 29 |
|
| 30 |
Daniel |
Archives