2017-04-29 19:04 GMT+02:00 Luis Ressel <ara...@aixah.de>: > On Sat, 29 Apr 2017 17:56:10 +0200 > Daniel Cegiełka <daniel.cegie...@gmail.com> wrote: > >> By the way, I don't know what the Gentoo Hardened or Alpine Linux >> have done wrong, that now are left out in the cold. > > That's the part I don't get either. Since the only possible motivation > I can think of for this move is to generate more income, they could've > at least tried asking the community for donations first.
It's more complex: https://www.theregister.co.uk/2015/08/27/grsecurity/ I don't judge them. I'm interested in the future of projects that were heavily dependent on PaX (Gentoo Hardened, Alpine Linux). > Now, I suppose someone is going to answer "If you'd be willing do > regularily donate to them, you might as well get a subscription", but I > fear this might have some serious drawbacks. In the past years, > the Gentoo Hardened devs have invested quite some work to make sure > most applications in the tree work on grsec/PaX-enabled kernels without > too much fallout. But now, there's suddently a lot less motivation to > keep up this work. Ned Lud (or Solar, but != Designer) has put a lot of work into the launch of Gentoo Hardened and, of course, the popularization of PaX. Old times.. :) >> Instead of complaining, we have to decide what to do next. In my >> opinion, it is critical to maintain support for PaX* for future >> kernels. It will not be easy, so I'm right away saying that Gentoo >> Hardened, Alpine Linux etc. should join forces in realizing this >> project. I think there will be more people who will be interested >> in... > > It might be hard to come up with the manpower needed to maintain such a > large kernel patch. Assuming upstream stand by their decision in > the long run, I think the only reasonable long-term approach would be to > try mainlining as much as possible and forget about the rest. And as > Brad and PaX Team can surely tell us, that'd be a gargantuan task if it > is at all possible. Patch weight is not the problem.. KSPP is. They copy (raw copy.. I hope) code from PaX and bring it to the kernel: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c054ee3bbf69ebcabb1f3218b7faf4b1b37a8eb6 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5509cc18daa7f82bcc553be70df2117c8eedc16 This means that there will be conflicts in the future. I don't claim that maintaining PaX support will be easy, but it's possible to do so. Daniel
