1 |
Hi, |
2 |
|
3 |
I honestly don't see how it would be feasible to maintain a feature |
4 |
that the developers maintaining it have access to. |
5 |
|
6 |
I get that this whole pax-thing embodies a huge part of Gentoo history |
7 |
and it may feel hard for some to let it go. But things are how they are. |
8 |
|
9 |
Regarding the fork states: I followed up on minipli's fork, which |
10 |
tried to maintain newer patches of grsec for LTS kernels, but that |
11 |
essentially stopped after KPTI/meltdown/retpoline. From what I know |
12 |
there's no public grsec patch with kpti or any spectre fixes, thus I |
13 |
would very much say you're safer these days with an upstream kernel. |
14 |
|
15 |
I think the only realistic way this support can be upheld would be if |
16 |
some people who have access to the grsec sources commit to making sure |
17 |
that it is maintained. |
18 |
|
19 |
|
20 |
There's also another question related to this: What's the future for |
21 |
Gentoo hardened? |
22 |
From what I can tell hardened consists of: |
23 |
* the things that try to make it compatible with grsec/pax |
24 |
(more or less obsolete). |
25 |
* things that are now in default profiles anyway (aslr, stack |
26 |
protector). |
27 |
* things that probably should be in default profiles (relro, now linker |
28 |
flags) |
29 |
* -fstack-check, which should eventually be replaced with |
30 |
-fstack-clash-protection (only available in future gcc's) and that |
31 |
should probably also go into default profiles. |
32 |
* Furthermore hardened disables some useful features due to their |
33 |
incompatibility with pax (e.g. sanitizers). |
34 |
|
35 |
So it's stuff that either is obsolete or probably should be a candidate |
36 |
for main profiles. Maybe we should strive for "hardened-by-default". |
37 |
|
38 |
-- |
39 |
Hanno Böck |
40 |
https://hboeck.de/ |
41 |
|
42 |
mail/jabber: hanno@××××××.de |
43 |
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |