| 1 |
On 06/22/2013 10:43 AM, Greg KH wrote: |
| 2 |
> On Sat, Jun 22, 2013 at 04:56:39AM -0400, Anthony G. Basile wrote: |
| 3 |
>> On 06/21/2013 11:47 PM, Greg KH wrote: |
| 4 |
>>> On Fri, Jun 21, 2013 at 09:54:46PM -0400, Anthony G. Basile wrote: |
| 5 |
>>>> The bug where this was discussed is |
| 6 |
>>>> |
| 7 |
>>>> https://bugs.gentoo.org/show_bug.cgi?id=338739 |
| 8 |
>>> Thanks for the link, unfortunatly, things have changed since then, with |
| 9 |
>>> stable kernel releases happening much more frequently now (instead of |
| 10 |
>>> about ever 2-3 weeks, it's now, 1-2 releases a week. |
| 11 |
>>> |
| 12 |
>>> So the chance for an arch team to mark anything is going to be tough. |
| 13 |
>>> |
| 14 |
>>> greg k-h |
| 15 |
>>> |
| 16 |
>> I've been following, but I can't say I've been following closely. |
| 17 |
>> I'm on the stable{,-commits}@vger list and the rate at which this |
| 18 |
>> stuff is coming is too fast for human consumption. |
| 19 |
> So, as I am the one creating all of that "stuff", does that mean I'm |
| 20 |
> somehow not "human"? :) |
| 21 |
|
| 22 |
Yes, yes it does :) I was one of your 40 elect when you needed minion, |
| 23 |
but I just can't with all my other duties. |
| 24 |
|
| 25 |
> |
| 26 |
>> We could just drop stabilization of vanilla-sources and have people |
| 27 |
>> follow ~arch. That might be closer to the meaning of ~testing vs |
| 28 |
>> stable in other packages: other upstreams push out releases they |
| 29 |
>> consider stable, but we don't consider them stable within Gentoo |
| 30 |
>> until our QA team tests. |
| 31 |
> I agree. |
| 32 |
> |
| 33 |
>> Another reason for dropping all vanilla-sources to ~arch is that we |
| 34 |
>> have some Gentoo specific needs that upstream will not and should |
| 35 |
>> not accept, eg we are making greater use of extended attributes in |
| 36 |
>> our package management, so we need end-to-end copying of xattrs. |
| 37 |
>> This means preserving certain namespaces (beyond security.* and |
| 38 |
>> trusted.*) on tmpfs for emerge. Gentoo users that use |
| 39 |
>> vanilla-sources will loose those xattr values making vanilla-sources |
| 40 |
>> ~ with respect to the rest of Gentoo. |
| 41 |
> What? So we are now relying on kernel patches that are not merged |
| 42 |
> upstream for proper operation of at Gentoo-based system? That's news to |
| 43 |
> me, I've _never_ run a gentoo-based kernel on my boxes in all of my |
| 44 |
> years as a Gentoo developer, with no problems, and I don't think we want |
| 45 |
> to require this in the future, do you? |
| 46 |
|
| 47 |
Its related to PaX coming form the grsec/pax team. |
| 48 |
|
| 49 |
> |
| 50 |
> Also, why aren't these patches upstream? Were they rejected? Just not |
| 51 |
> ready? No one submitted them? |
| 52 |
|
| 53 |
We need to maintain a special namespace on tmpfs beyond security.* and |
| 54 |
trusted.* It is "user.pax.flags" and it is limited to 8 bytes. Without |
| 55 |
it, we will not have end-to-end xattr support for the namespaces we need |
| 56 |
in Gentoo. |
| 57 |
|
| 58 |
As for why they are not upstream, I can try. I'm like 99.9% certain it |
| 59 |
will be rejected but at the very least, if the rejection is "we don't |
| 60 |
need that crap" then I can safely ignore it, but if the rejection is |
| 61 |
"there's a gapping security whole" then we can at least address it even |
| 62 |
if in the end they pulled into vanilla. |
| 63 |
|
| 64 |
> |
| 65 |
> Don't ever try to differentiate at the kernel level from other distros, |
| 66 |
> it's not worth it, and will cause problems in the end. The other |
| 67 |
> distros have realized this, I thought we were smarter than that... |
| 68 |
|
| 69 |
Like the 50k line patch that Brad spews out every other day? I |
| 70 |
understand your point but grsec/pax has a large enough user base and |
| 71 |
we've supported it for 10 years now. |
| 72 |
|
| 73 |
As for not differentiating at the kernel level, our choice here was |
| 74 |
either that or differentiate at the toolchain level. Try readelf -l on |
| 75 |
any Gentoo elf object and tell me what you see different than, oh say, |
| 76 |
OpenSuse. A 5 line patch to mm/shmem.c in the kernel is a small price |
| 77 |
to pay for cleaning up the program headers of our elf objects |
| 78 |
userland-wide. *That* will bring Genoo in line with other linux distros. |
| 79 |
|
| 80 |
> |
| 81 |
> thanks, |
| 82 |
> |
| 83 |
> greg k-h |
| 84 |
> |
| 85 |
|
| 86 |
|
| 87 |
-- |
| 88 |
Anthony G. Basile, Ph.D. |
| 89 |
Gentoo Linux Developer [Hardened] |
| 90 |
E-Mail : blueness@g.o |
| 91 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 92 |
GnuPG ID : F52D4BBA |
Archives