| 1 |
Hi, |
| 2 |
|
| 3 |
I honestly don't see how it would be feasible to maintain a feature |
| 4 |
that the developers maintaining it have access to. |
| 5 |
|
| 6 |
I get that this whole pax-thing embodies a huge part of Gentoo history |
| 7 |
and it may feel hard for some to let it go. But things are how they are. |
| 8 |
|
| 9 |
Regarding the fork states: I followed up on minipli's fork, which |
| 10 |
tried to maintain newer patches of grsec for LTS kernels, but that |
| 11 |
essentially stopped after KPTI/meltdown/retpoline. From what I know |
| 12 |
there's no public grsec patch with kpti or any spectre fixes, thus I |
| 13 |
would very much say you're safer these days with an upstream kernel. |
| 14 |
|
| 15 |
I think the only realistic way this support can be upheld would be if |
| 16 |
some people who have access to the grsec sources commit to making sure |
| 17 |
that it is maintained. |
| 18 |
|
| 19 |
|
| 20 |
There's also another question related to this: What's the future for |
| 21 |
Gentoo hardened? |
| 22 |
From what I can tell hardened consists of: |
| 23 |
* the things that try to make it compatible with grsec/pax |
| 24 |
(more or less obsolete). |
| 25 |
* things that are now in default profiles anyway (aslr, stack |
| 26 |
protector). |
| 27 |
* things that probably should be in default profiles (relro, now linker |
| 28 |
flags) |
| 29 |
* -fstack-check, which should eventually be replaced with |
| 30 |
-fstack-clash-protection (only available in future gcc's) and that |
| 31 |
should probably also go into default profiles. |
| 32 |
* Furthermore hardened disables some useful features due to their |
| 33 |
incompatibility with pax (e.g. sanitizers). |
| 34 |
|
| 35 |
So it's stuff that either is obsolete or probably should be a candidate |
| 36 |
for main profiles. Maybe we should strive for "hardened-by-default". |
| 37 |
|
| 38 |
-- |
| 39 |
Hanno Böck |
| 40 |
https://hboeck.de/ |
| 41 |
|
| 42 |
mail/jabber: hanno@××××××.de |
| 43 |
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |
Archives