From: "Daniel Cegiełka" <daniel.cegielka@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] RIP hardened-sources
Date: Sat, 29 Apr 2017 17:56:10 +0200 [thread overview]
Message-ID: <CAPLrYETZWnKoxpaA41BfXMOePZmX_T9ne0yjMpAFgBY=PH5LtA@mail.gmail.com> (raw)
In-Reply-To: <20170429124744.GP28917@home.power>
2017-04-29 14:47 GMT+02:00 Alex Efros <powerman@powerman.name>:
> Hi!
>
> On Sat, Apr 29, 2017 at 01:49:20PM +0200, Luis Ressel wrote:
>> I suppose we all just grudgingly switch over to gentoo-sources?
>
> I wonder for how long time current kernel with grsec will be more safe and
> protected against new exploits than up-to-date gentoo-sources…
> Something new in security: avoid updates to have better protection.
It's not about grsecurity, it's about PaX. This was the basic layer
of protection. Gentoo Hardened has spent years working to provide PaX
support in userland. It was the core of this project. Alpine Linux and
others are also based on PaX. After years of building _trust_, it all
disappears overnight. You can use Grsecurity, you can use SELinux, you
can use RSBAC, but you do not have a good alternative for PaX. And
this is an existential problem for all these projects. By the way, I
don't know what the Gentoo Hardened or Alpine Linux have done wrong,
that now are left out in the cold.
Instead of complaining, we have to decide what to do next. In my
opinion, it is critical to maintain support for PaX* for future
kernels. It will not be easy, so I'm right away saying that Gentoo
Hardened, Alpine Linux etc. should join forces in realizing this
project. I think there will be more people who will be interested
in...
* https://www.grsecurity.net/~paxguy1/
Daniel
next prev parent reply other threads:[~2017-04-29 15:56 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-29 11:49 [gentoo-hardened] RIP hardened-sources Luis Ressel
2017-04-29 12:47 ` Alex Efros
2017-04-29 15:56 ` Daniel Cegiełka [this message]
2017-04-29 16:52 ` Javier Juan Martinez Cabezon
2017-04-29 16:58 ` Luis Ressel
2017-04-30 8:15 ` Javier Juan Martinez Cabezon
2017-04-29 17:04 ` Luis Ressel
2017-04-29 18:43 ` Daniel Cegiełka
2017-04-29 20:34 ` "Tóth Attila"
2017-04-29 22:04 ` Brant Williams
2017-04-30 13:00 ` Andrew Savchenko
2017-04-30 13:16 ` Alex Efros
2017-04-30 14:34 ` Andrew Savchenko
2017-04-30 14:56 ` "Tóth Attila"
2017-04-30 13:07 ` Andrew Savchenko
2017-04-29 13:11 ` Alex Efros
2017-04-29 13:46 ` PaX Team
2017-04-29 16:46 ` Alex Efros
2017-04-30 11:08 ` Alex Efros
2017-04-30 11:50 ` SK
2017-04-30 11:55 ` SK
2017-04-30 12:32 ` Andrew Savchenko
2017-04-30 12:56 ` Alex Efros
2017-04-30 13:28 ` Andrew Savchenko
2017-04-30 13:07 ` Daniel Cegiełka
2017-04-29 15:30 ` Paweł Hajdan, Jr.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPLrYETZWnKoxpaA41BfXMOePZmX_T9ne0yjMpAFgBY=PH5LtA@mail.gmail.com' \
--to=daniel.cegielka@gmail.com \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox