| 1 |
On Sat, Jun 22, 2013 at 12:46:01PM -0400, Anthony G. Basile wrote: |
| 2 |
> >>Another reason for dropping all vanilla-sources to ~arch is that we |
| 3 |
> >>have some Gentoo specific needs that upstream will not and should |
| 4 |
> >>not accept, eg we are making greater use of extended attributes in |
| 5 |
> >>our package management, so we need end-to-end copying of xattrs. |
| 6 |
> >>This means preserving certain namespaces (beyond security.* and |
| 7 |
> >>trusted.*) on tmpfs for emerge. Gentoo users that use |
| 8 |
> >>vanilla-sources will loose those xattr values making vanilla-sources |
| 9 |
> >>~ with respect to the rest of Gentoo. |
| 10 |
> >What? So we are now relying on kernel patches that are not merged |
| 11 |
> >upstream for proper operation of at Gentoo-based system? That's news to |
| 12 |
> >me, I've _never_ run a gentoo-based kernel on my boxes in all of my |
| 13 |
> >years as a Gentoo developer, with no problems, and I don't think we want |
| 14 |
> >to require this in the future, do you? |
| 15 |
> |
| 16 |
> Its related to PaX coming form the grsec/pax team. |
| 17 |
|
| 18 |
Ah, this is just the "hardened" stuff, not the "normal" gentoo kernels, |
| 19 |
right? |
| 20 |
|
| 21 |
> >Also, why aren't these patches upstream? Were they rejected? Just not |
| 22 |
> >ready? No one submitted them? |
| 23 |
> |
| 24 |
> We need to maintain a special namespace on tmpfs beyond security.* |
| 25 |
> and trusted.* It is "user.pax.flags" and it is limited to 8 bytes. |
| 26 |
> Without it, we will not have end-to-end xattr support for the |
| 27 |
> namespaces we need in Gentoo. |
| 28 |
> |
| 29 |
> As for why they are not upstream, I can try. I'm like 99.9% certain |
| 30 |
> it will be rejected but at the very least, if the rejection is "we |
| 31 |
> don't need that crap" then I can safely ignore it, but if the |
| 32 |
> rejection is "there's a gapping security whole" then we can at least |
| 33 |
> address it even if in the end they pulled into vanilla. |
| 34 |
|
| 35 |
Any pointers to the patch so that I can take a look at it? |
| 36 |
|
| 37 |
thanks, |
| 38 |
|
| 39 |
greg k-h |
Archives