Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-project

From: Alice Ferrazzi <alicef@g.o>
To: gentoo Project mailinglist <gentoo-project@l.g.o>
Cc: Gentoo Development <gentoo-dev@l.g.o>, gentoo-hardened@l.g.o
Subject: Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
Date: Fri, 23 Jun 2017 18:54:37
Message-Id: CANWzcUoffN2+2W5VCFE6RsRXVErQyM9f3vSe-wPHOgd20151kA@mail.gmail.com
In Reply to: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream by "Anthony G. Basile"
1 On Sat, Jun 24, 2017 at 1:28 AM, Anthony G. Basile <blueness@g.o> wrote:
2 >
3 > Hi everyone,
4 >
5 > Since late April, grsecurity upstream has stop making their patches
6 > available publicly. Without going into details, the reason for their
7 > decision revolves around disputes about how their patches were being
8 > (ab)used.
9 >
10 > Since the grsecurity patch formed the main core of our hardened-sources
11 > kernel, their decision has serious repercussions for the Hardened Gentoo
12 > project. I will no longer be able to support hardened-sources and will
13 > have to eventually mask and remove it from the tree.
14 >
15 > Hardened Gentoo has two sides to it, kernel hardening (done via
16 > hardened-sources) and toolchain/executable hardening. The two are
17 > interrelated but independent enough that toolchain hardening can
18 > continue on its own. The hardened kernel, however, provided PaX
19 > protection for executables and this will be lost. We did a lot of work
20 > to properly maintain PaX markings in our package management system and
21 > there was no part of Gentoo that wasn't touched by issues stemming from
22 > PaX support.
23 >
24 > I waited two months before saying anything because the reasons were more
25 > of a political nature than some technical issue. At this point, I think
26 > its time to let the community know about the state of affairs with
27 > hardened-sources.
28 >
29 > I can no longer get into the #grsecurity/OFTC channel (nothing personal,
30 > they kicked everyone), and so I have not spoken to spengler or pipacs.
31 > I don't know if they will ever release grsecurity patches again.
32 >
33 > My plan then is as follows. I'll wait one more month and then send out
34 > a news item and later mask hardened-sources for removal. I don't
35 > recommend we remove any of the machinery from Gentoo that deals with PaX
36 > markings.
37 >
38 > I welcome feedback.
39 >
40
41 As we already contribute to grsec in the past,
42 would be sad to see hardened-sources go away.
43 What about the possibility of Gentoo forking PaX ?
44
45 --
46 Thanks,
47 Alice Ferrazzi
48
49 Gentoo Kernel Project Leader
50 Mail: Alice Ferrazzi <alicef@g.o>
51 PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
Report Message
Find on MARC Find on Google Groups