1 |
On 06/22/2013 10:43 AM, Greg KH wrote: |
2 |
> On Sat, Jun 22, 2013 at 04:56:39AM -0400, Anthony G. Basile wrote: |
3 |
>> On 06/21/2013 11:47 PM, Greg KH wrote: |
4 |
>>> On Fri, Jun 21, 2013 at 09:54:46PM -0400, Anthony G. Basile wrote: |
5 |
>>>> The bug where this was discussed is |
6 |
>>>> |
7 |
>>>> https://bugs.gentoo.org/show_bug.cgi?id=338739 |
8 |
>>> Thanks for the link, unfortunatly, things have changed since then, with |
9 |
>>> stable kernel releases happening much more frequently now (instead of |
10 |
>>> about ever 2-3 weeks, it's now, 1-2 releases a week. |
11 |
>>> |
12 |
>>> So the chance for an arch team to mark anything is going to be tough. |
13 |
>>> |
14 |
>>> greg k-h |
15 |
>>> |
16 |
>> I've been following, but I can't say I've been following closely. |
17 |
>> I'm on the stable{,-commits}@vger list and the rate at which this |
18 |
>> stuff is coming is too fast for human consumption. |
19 |
> So, as I am the one creating all of that "stuff", does that mean I'm |
20 |
> somehow not "human"? :) |
21 |
|
22 |
Yes, yes it does :) I was one of your 40 elect when you needed minion, |
23 |
but I just can't with all my other duties. |
24 |
|
25 |
> |
26 |
>> We could just drop stabilization of vanilla-sources and have people |
27 |
>> follow ~arch. That might be closer to the meaning of ~testing vs |
28 |
>> stable in other packages: other upstreams push out releases they |
29 |
>> consider stable, but we don't consider them stable within Gentoo |
30 |
>> until our QA team tests. |
31 |
> I agree. |
32 |
> |
33 |
>> Another reason for dropping all vanilla-sources to ~arch is that we |
34 |
>> have some Gentoo specific needs that upstream will not and should |
35 |
>> not accept, eg we are making greater use of extended attributes in |
36 |
>> our package management, so we need end-to-end copying of xattrs. |
37 |
>> This means preserving certain namespaces (beyond security.* and |
38 |
>> trusted.*) on tmpfs for emerge. Gentoo users that use |
39 |
>> vanilla-sources will loose those xattr values making vanilla-sources |
40 |
>> ~ with respect to the rest of Gentoo. |
41 |
> What? So we are now relying on kernel patches that are not merged |
42 |
> upstream for proper operation of at Gentoo-based system? That's news to |
43 |
> me, I've _never_ run a gentoo-based kernel on my boxes in all of my |
44 |
> years as a Gentoo developer, with no problems, and I don't think we want |
45 |
> to require this in the future, do you? |
46 |
|
47 |
Its related to PaX coming form the grsec/pax team. |
48 |
|
49 |
> |
50 |
> Also, why aren't these patches upstream? Were they rejected? Just not |
51 |
> ready? No one submitted them? |
52 |
|
53 |
We need to maintain a special namespace on tmpfs beyond security.* and |
54 |
trusted.* It is "user.pax.flags" and it is limited to 8 bytes. Without |
55 |
it, we will not have end-to-end xattr support for the namespaces we need |
56 |
in Gentoo. |
57 |
|
58 |
As for why they are not upstream, I can try. I'm like 99.9% certain it |
59 |
will be rejected but at the very least, if the rejection is "we don't |
60 |
need that crap" then I can safely ignore it, but if the rejection is |
61 |
"there's a gapping security whole" then we can at least address it even |
62 |
if in the end they pulled into vanilla. |
63 |
|
64 |
> |
65 |
> Don't ever try to differentiate at the kernel level from other distros, |
66 |
> it's not worth it, and will cause problems in the end. The other |
67 |
> distros have realized this, I thought we were smarter than that... |
68 |
|
69 |
Like the 50k line patch that Brad spews out every other day? I |
70 |
understand your point but grsec/pax has a large enough user base and |
71 |
we've supported it for 10 years now. |
72 |
|
73 |
As for not differentiating at the kernel level, our choice here was |
74 |
either that or differentiate at the toolchain level. Try readelf -l on |
75 |
any Gentoo elf object and tell me what you see different than, oh say, |
76 |
OpenSuse. A 5 line patch to mm/shmem.c in the kernel is a small price |
77 |
to pay for cleaning up the program headers of our elf objects |
78 |
userland-wide. *That* will bring Genoo in line with other linux distros. |
79 |
|
80 |
> |
81 |
> thanks, |
82 |
> |
83 |
> greg k-h |
84 |
> |
85 |
|
86 |
|
87 |
-- |
88 |
Anthony G. Basile, Ph.D. |
89 |
Gentoo Linux Developer [Hardened] |
90 |
E-Mail : blueness@g.o |
91 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
92 |
GnuPG ID : F52D4BBA |