Gentoo Archives: gentoo-hardened

From: "Anthony G. Basile" <blueness@g.o>
To: Gentoo Development <gentoo-dev@l.g.o>, Gentoo project list <gentoo-project@l.g.o>, gentoo-hardened@l.g.o
Subject: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
Date: Fri, 23 Jun 2017 16:28:51
Message-Id: ea98b420-db01-4b70-68a3-f8f9a3f8b9cf@gentoo.org
1 Hi everyone,
2
3 Since late April, grsecurity upstream has stop making their patches
4 available publicly. Without going into details, the reason for their
5 decision revolves around disputes about how their patches were being
6 (ab)used.
7
8 Since the grsecurity patch formed the main core of our hardened-sources
9 kernel, their decision has serious repercussions for the Hardened Gentoo
10 project. I will no longer be able to support hardened-sources and will
11 have to eventually mask and remove it from the tree.
12
13 Hardened Gentoo has two sides to it, kernel hardening (done via
14 hardened-sources) and toolchain/executable hardening. The two are
15 interrelated but independent enough that toolchain hardening can
16 continue on its own. The hardened kernel, however, provided PaX
17 protection for executables and this will be lost. We did a lot of work
18 to properly maintain PaX markings in our package management system and
19 there was no part of Gentoo that wasn't touched by issues stemming from
20 PaX support.
21
22 I waited two months before saying anything because the reasons were more
23 of a political nature than some technical issue. At this point, I think
24 its time to let the community know about the state of affairs with
25 hardened-sources.
26
27 I can no longer get into the #grsecurity/OFTC channel (nothing personal,
28 they kicked everyone), and so I have not spoken to spengler or pipacs.
29 I don't know if they will ever release grsecurity patches again.
30
31 My plan then is as follows. I'll wait one more month and then send out
32 a news item and later mask hardened-sources for removal. I don't
33 recommend we remove any of the machinery from Gentoo that deals with PaX
34 markings.
35
36 I welcome feedback.
37
38 --
39 Anthony G. Basile, Ph.D.
40 Gentoo Linux Developer [Hardened]
41 E-Mail : blueness@g.o
42 GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
43 GnuPG ID : F52D4BBA

Replies