1 |
On Sat, Jun 22, 2013 at 12:46:01PM -0400, Anthony G. Basile wrote: |
2 |
> >>Another reason for dropping all vanilla-sources to ~arch is that we |
3 |
> >>have some Gentoo specific needs that upstream will not and should |
4 |
> >>not accept, eg we are making greater use of extended attributes in |
5 |
> >>our package management, so we need end-to-end copying of xattrs. |
6 |
> >>This means preserving certain namespaces (beyond security.* and |
7 |
> >>trusted.*) on tmpfs for emerge. Gentoo users that use |
8 |
> >>vanilla-sources will loose those xattr values making vanilla-sources |
9 |
> >>~ with respect to the rest of Gentoo. |
10 |
> >What? So we are now relying on kernel patches that are not merged |
11 |
> >upstream for proper operation of at Gentoo-based system? That's news to |
12 |
> >me, I've _never_ run a gentoo-based kernel on my boxes in all of my |
13 |
> >years as a Gentoo developer, with no problems, and I don't think we want |
14 |
> >to require this in the future, do you? |
15 |
> |
16 |
> Its related to PaX coming form the grsec/pax team. |
17 |
|
18 |
Ah, this is just the "hardened" stuff, not the "normal" gentoo kernels, |
19 |
right? |
20 |
|
21 |
> >Also, why aren't these patches upstream? Were they rejected? Just not |
22 |
> >ready? No one submitted them? |
23 |
> |
24 |
> We need to maintain a special namespace on tmpfs beyond security.* |
25 |
> and trusted.* It is "user.pax.flags" and it is limited to 8 bytes. |
26 |
> Without it, we will not have end-to-end xattr support for the |
27 |
> namespaces we need in Gentoo. |
28 |
> |
29 |
> As for why they are not upstream, I can try. I'm like 99.9% certain |
30 |
> it will be rejected but at the very least, if the rejection is "we |
31 |
> don't need that crap" then I can safely ignore it, but if the |
32 |
> rejection is "there's a gapping security whole" then we can at least |
33 |
> address it even if in the end they pulled into vanilla. |
34 |
|
35 |
Any pointers to the patch so that I can take a look at it? |
36 |
|
37 |
thanks, |
38 |
|
39 |
greg k-h |