1 |
On 06/23/2017 12:28 PM, Anthony G. Basile wrote: |
2 |
> Hi everyone, |
3 |
> |
4 |
> Since late April, grsecurity upstream has stop making their patches |
5 |
> available publicly. Without going into details, the reason for their |
6 |
> decision revolves around disputes about how their patches were being |
7 |
> (ab)used. |
8 |
> |
9 |
> Since the grsecurity patch formed the main core of our hardened-sources |
10 |
> kernel, their decision has serious repercussions for the Hardened Gentoo |
11 |
> project. I will no longer be able to support hardened-sources and will |
12 |
> have to eventually mask and remove it from the tree. |
13 |
> |
14 |
> Hardened Gentoo has two sides to it, kernel hardening (done via |
15 |
> hardened-sources) and toolchain/executable hardening. The two are |
16 |
> interrelated but independent enough that toolchain hardening can |
17 |
> continue on its own. The hardened kernel, however, provided PaX |
18 |
> protection for executables and this will be lost. We did a lot of work |
19 |
> to properly maintain PaX markings in our package management system and |
20 |
> there was no part of Gentoo that wasn't touched by issues stemming from |
21 |
> PaX support. |
22 |
> |
23 |
> I waited two months before saying anything because the reasons were more |
24 |
> of a political nature than some technical issue. At this point, I think |
25 |
> its time to let the community know about the state of affairs with |
26 |
> hardened-sources. |
27 |
> |
28 |
> I can no longer get into the #grsecurity/OFTC channel (nothing personal, |
29 |
> they kicked everyone), and so I have not spoken to spengler or pipacs. |
30 |
> I don't know if they will ever release grsecurity patches again. |
31 |
> |
32 |
> My plan then is as follows. I'll wait one more month and then send out |
33 |
> a news item and later mask hardened-sources for removal. I don't |
34 |
> recommend we remove any of the machinery from Gentoo that deals with PaX |
35 |
> markings. |
36 |
> |
37 |
> I welcome feedback. |
38 |
> |
39 |
|
40 |
Thoughts on using this [1] unofficial fork? At the moment, looks like |
41 |
it is up to date with the 4.9.x branch (ported up to 4.9.33, last |
42 |
official release is 4.9.24). It should be noted, however, that the |
43 |
maintainer has stated that the intention is forward porting and |
44 |
bug-fixing, not new feature development. Is it worth contacting the |
45 |
maintainer to find out whether the intention is to support other |
46 |
branches in the future? |
47 |
|
48 |
Obviously using an unofficial fork should come with a big warning, but I |
49 |
think it is worth considering keeping an option available to those that |
50 |
want it. |
51 |
|
52 |
There may be other forks but that's the only one I've come across since |
53 |
upstream stopped publishing publicly. |
54 |
|
55 |
As a personal aside, I think our support of grsec in the past has been a |
56 |
major asset for the distro, and I'd prefer to see us maintain that asset |
57 |
via an unofficial port, if possible. |
58 |
|
59 |
On a slightly more off topic note, I must say, from my reading of |
60 |
changelogs, bug reports, and forum posts, I think it is a shame that |
61 |
we've been cut off with no real special consideration, given how much it |
62 |
appears that Gentoo was involved in the feedback and improvement process |
63 |
for grsec. |
64 |
|
65 |
-- |
66 |
NP-Hardass |
67 |
|
68 |
[1] https://github.com/minipli/linux-unofficial_grsec/ |