1 |
On 4/16/18 5:14 AM, Hanno Böck wrote: |
2 |
> Hi, |
3 |
> |
4 |
> I honestly don't see how it would be feasible to maintain a feature |
5 |
> that the developers maintaining it have access to. |
6 |
|
7 |
I think you're missing a negation in there. Point well taken though. |
8 |
|
9 |
|
10 |
> |
11 |
> I get that this whole pax-thing embodies a huge part of Gentoo history |
12 |
> and it may feel hard for some to let it go. But things are how they are. |
13 |
|
14 |
I agree, and we'll have it in our history if hardened-sources ever comes |
15 |
back. The only machinery we should keep is install-xattrs which grew |
16 |
out of the integration of xattr PaX markings but is useful beyond just PaX. |
17 |
|
18 |
> |
19 |
> Regarding the fork states: I followed up on minipli's fork, which |
20 |
> tried to maintain newer patches of grsec for LTS kernels, but that |
21 |
> essentially stopped after KPTI/meltdown/retpoline. From what I know |
22 |
> there's no public grsec patch with kpti or any spectre fixes, thus I |
23 |
> would very much say you're safer these days with an upstream kernel. |
24 |
> |
25 |
|
26 |
Correct. I would not use the old hardened-sources or minipli's fork on |
27 |
any production server. |
28 |
|
29 |
> I think the only realistic way this support can be upheld would be if |
30 |
> some people who have access to the grsec sources commit to making sure |
31 |
> that it is maintained. |
32 |
|
33 |
Upstream has never responded to any email I sent them. I had a brief |
34 |
discussion with spender when the decision came down, and he gave me what |
35 |
I interpreted as an "I'm sorry this is going to adversely affect you but |
36 |
it has to be this way." |
37 |
|
38 |
> |
39 |
> |
40 |
> There's also another question related to this: What's the future for |
41 |
> Gentoo hardened? |
42 |
> From what I can tell hardened consists of: |
43 |
> * the things that try to make it compatible with grsec/pax |
44 |
> (more or less obsolete). |
45 |
> * things that are now in default profiles anyway (aslr, stack |
46 |
> protector). |
47 |
> * things that probably should be in default profiles (relro, now linker |
48 |
> flags) |
49 |
> * -fstack-check, which should eventually be replaced with |
50 |
> -fstack-clash-protection (only available in future gcc's) and that |
51 |
> should probably also go into default profiles. |
52 |
> * Furthermore hardened disables some useful features due to their |
53 |
> incompatibility with pax (e.g. sanitizers). |
54 |
> |
55 |
> So it's stuff that either is obsolete or probably should be a candidate |
56 |
> for main profiles. Maybe we should strive for "hardened-by-default". |
57 |
> |
58 |
|
59 |
You're forgetting selinux. Most of Zorry's work has made it into gcc |
60 |
and is now being enabled by our default toolchain. Some kernel features |
61 |
have also been improved upstream. With upstream carrying a lot of the |
62 |
work we did, I think 'hardened-by-default' minus selinux should be the |
63 |
goal of Gentoo. |
64 |
|
65 |
-- |
66 |
Anthony G. Basile, Ph.D. |
67 |
Gentoo Linux Developer [Hardened] |
68 |
E-Mail : blueness@g.o |
69 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
70 |
GnuPG ID : F52D4BBA |