| 1 |
On 06/23/2017 12:28, Anthony G. Basile wrote: |
| 2 |
> Hi everyone, |
| 3 |
> |
| 4 |
> Since late April, grsecurity upstream has stop making their patches |
| 5 |
> available publicly. Without going into details, the reason for their |
| 6 |
> decision revolves around disputes about how their patches were being |
| 7 |
> (ab)used. |
| 8 |
> |
| 9 |
> Since the grsecurity patch formed the main core of our hardened-sources |
| 10 |
> kernel, their decision has serious repercussions for the Hardened Gentoo |
| 11 |
> project. I will no longer be able to support hardened-sources and will |
| 12 |
> have to eventually mask and remove it from the tree. |
| 13 |
> |
| 14 |
> Hardened Gentoo has two sides to it, kernel hardening (done via |
| 15 |
> hardened-sources) and toolchain/executable hardening. The two are |
| 16 |
> interrelated but independent enough that toolchain hardening can |
| 17 |
> continue on its own. The hardened kernel, however, provided PaX |
| 18 |
> protection for executables and this will be lost. We did a lot of work |
| 19 |
> to properly maintain PaX markings in our package management system and |
| 20 |
> there was no part of Gentoo that wasn't touched by issues stemming from |
| 21 |
> PaX support. |
| 22 |
> |
| 23 |
> I waited two months before saying anything because the reasons were more |
| 24 |
> of a political nature than some technical issue. At this point, I think |
| 25 |
> its time to let the community know about the state of affairs with |
| 26 |
> hardened-sources. |
| 27 |
> |
| 28 |
> I can no longer get into the #grsecurity/OFTC channel (nothing personal, |
| 29 |
> they kicked everyone), and so I have not spoken to spengler or pipacs. |
| 30 |
> I don't know if they will ever release grsecurity patches again. |
| 31 |
> |
| 32 |
> My plan then is as follows. I'll wait one more month and then send out |
| 33 |
> a news item and later mask hardened-sources for removal. I don't |
| 34 |
> recommend we remove any of the machinery from Gentoo that deals with PaX |
| 35 |
> markings. |
| 36 |
> |
| 37 |
> I welcome feedback. |
| 38 |
> |
| 39 |
|
| 40 |
So short-term, what's the next step one can do to hop off the hardened-sources |
| 41 |
train before it runs out of track without a full rebuild? I'm planning on a |
| 42 |
full rebuild/re-install eventually for my dev box, but it has been stuck on |
| 43 |
kernel 4.9.x since this shindig went down and I'd like to get ahead to 4.11 or |
| 44 |
4.12 instead of using my SGI machines to discover new surprises. |
| 45 |
|
| 46 |
Safe for now to just switch to gentoo-sources while retaining hardened |
| 47 |
toolchain? Or would there be a few additional steps needed? I only use PaX |
| 48 |
for mprotect() and the ALSR capabilities, though I suspect those might be in |
| 49 |
the standard sauce by now. As such, I haven't had to deal with userland issues |
| 50 |
and PaX too much over the years. |
| 51 |
|
| 52 |
-- |
| 53 |
Joshua Kinard |
| 54 |
Gentoo/MIPS |
| 55 |
kumba@g.o |
| 56 |
6144R/F5C6C943 2015-04-27 |
| 57 |
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 |
| 58 |
|
| 59 |
"The past tempts us, the present confuses us, the future frightens us. And our |
| 60 |
lives slip away, moment by moment, lost in that vast, terrible in-between." |
| 61 |
|
| 62 |
--Emperor Turhan, Centauri Republic |
Archives