1 |
Hi everyone, |
2 |
|
3 |
Since late April, grsecurity upstream has stop making their patches |
4 |
available publicly. Without going into details, the reason for their |
5 |
decision revolves around disputes about how their patches were being |
6 |
(ab)used. |
7 |
|
8 |
Since the grsecurity patch formed the main core of our hardened-sources |
9 |
kernel, their decision has serious repercussions for the Hardened Gentoo |
10 |
project. I will no longer be able to support hardened-sources and will |
11 |
have to eventually mask and remove it from the tree. |
12 |
|
13 |
Hardened Gentoo has two sides to it, kernel hardening (done via |
14 |
hardened-sources) and toolchain/executable hardening. The two are |
15 |
interrelated but independent enough that toolchain hardening can |
16 |
continue on its own. The hardened kernel, however, provided PaX |
17 |
protection for executables and this will be lost. We did a lot of work |
18 |
to properly maintain PaX markings in our package management system and |
19 |
there was no part of Gentoo that wasn't touched by issues stemming from |
20 |
PaX support. |
21 |
|
22 |
I waited two months before saying anything because the reasons were more |
23 |
of a political nature than some technical issue. At this point, I think |
24 |
its time to let the community know about the state of affairs with |
25 |
hardened-sources. |
26 |
|
27 |
I can no longer get into the #grsecurity/OFTC channel (nothing personal, |
28 |
they kicked everyone), and so I have not spoken to spengler or pipacs. |
29 |
I don't know if they will ever release grsecurity patches again. |
30 |
|
31 |
My plan then is as follows. I'll wait one more month and then send out |
32 |
a news item and later mask hardened-sources for removal. I don't |
33 |
recommend we remove any of the machinery from Gentoo that deals with PaX |
34 |
markings. |
35 |
|
36 |
I welcome feedback. |
37 |
|
38 |
-- |
39 |
Anthony G. Basile, Ph.D. |
40 |
Gentoo Linux Developer [Hardened] |
41 |
E-Mail : blueness@g.o |
42 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
43 |
GnuPG ID : F52D4BBA |