[gentoo-dev] Last rites: ruby21-only packages
# Hans de Graaff (23 Jun 2017) # Mask ruby21-only packages for removal in 30 days # Old slots that are ruby21-only dev-ruby/prawn:1 dev-ruby/rspec:0 # ruby21-only package that does not work with current # dev-ruby/parslet versions. dev-ruby/toml # ruby21-only, no maintainer, fails tests www-apps/jekyll-paginate # ruby21-only, no maintainer www-apps/redmine signature.asc Description: This is a digitally signed message part
[gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
Hi everyone, Since late April, grsecurity upstream has stop making their patches available publicly. Without going into details, the reason for their decision revolves around disputes about how their patches were being (ab)used. Since the grsecurity patch formed the main core of our hardened-sources kernel, their decision has serious repercussions for the Hardened Gentoo project. I will no longer be able to support hardened-sources and will have to eventually mask and remove it from the tree. Hardened Gentoo has two sides to it, kernel hardening (done via hardened-sources) and toolchain/executable hardening. The two are interrelated but independent enough that toolchain hardening can continue on its own. The hardened kernel, however, provided PaX protection for executables and this will be lost. We did a lot of work to properly maintain PaX markings in our package management system and there was no part of Gentoo that wasn't touched by issues stemming from PaX support. I waited two months before saying anything because the reasons were more of a political nature than some technical issue. At this point, I think its time to let the community know about the state of affairs with hardened-sources. I can no longer get into the #grsecurity/OFTC channel (nothing personal, they kicked everyone), and so I have not spoken to spengler or pipacs. I don't know if they will ever release grsecurity patches again. My plan then is as follows. I'll wait one more month and then send out a news item and later mask hardened-sources for removal. I don't recommend we remove any of the machinery from Gentoo that deals with PaX markings. I welcome feedback. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
> I welcome feedback. And how about KSPP and other similar projects, that tries to continue the idea of community-friendly development based on latest release available to wide public (or, maybe some other, that was grown in parallel with PaX)? [OFFTOP] I personally very dislike Brad's behaviour. Not only closing the source from public. Not only blackmail to ban from updates for customers that will public the patches. But also his trolling against KSPP: Firstly he cried they steal his work (yup, steal. OpenSource. Lol). Then he stated that he wants that KSPP stated *both* that their work is based on Grsec *and* that they have no connection with grsecurity at the *same time*. So, it looks like he does not really care about Linux Security. He only cares about his business. Which is against my vision of opensource community principles. So, since that time I have no non-offensive words to describe him anymore. So, I previously decided to take latest available hardened-sources patchset and maintain it (mostly, fix for new kernel releases) locally for my needs, until Gentoo Hardened will migrate to KSPP, or KSPP will merge all of the work into "vanilla" Linux. But since I read this notice, I'm very sad about the destiny of Gentoo Hardened. It was the best solution for production servers, imho. But news like that makes people think that it (Hardened Gentoo) starts pre-death agonia. And that's very and very sad :'( [/OFFTOP]
[gentoo-dev] Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
On Sat, Jun 24, 2017 at 1:28 AM, Anthony G. Basile wrote: > > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources > kernel, their decision has serious repercussions for the Hardened Gentoo > project. I will no longer be able to support hardened-sources and will > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from > PaX support. > > I waited two months before saying anything because the reasons were more > of a political nature than some technical issue. At this point, I think > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal, > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. > > I welcome feedback. > As we already contribute to grsec in the past, would be sad to see hardened-sources go away. What about the possibility of Gentoo forking PaX ? -- Thanks, Alice Ferrazzi Gentoo Kernel Project Leader Mail: Alice Ferrazzi PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On 06/23/2017 09:28 AM, Anthony G. Basile wrote: > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources > kernel, their decision has serious repercussions for the Hardened Gentoo > project. I will no longer be able to support hardened-sources and will > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from > PaX support. > > I waited two months before saying anything because the reasons were more > of a political nature than some technical issue. At this point, I think > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal, > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. > > I welcome feedback. > Thanks for taking the time to let the greater Gentoo community know. It's a shame things took this turn... Is there any hope of a fork emerging from the drama? Why would a security-conscious group take their toys and go home? Regardless, this is a loss for Linux as a whole. I hope something springs up in its place. -- Daniel Campbell - Gentoo Developer OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 signature.asc Description: OpenPGP digital signature
[gentoo-dev] Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
On Fri, 23 Jun 2017 12:28:27 -0400 "Anthony G. Basile" wrote: > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. Thanks for the status update! -- Sergei pgpXQuOOIKJQq.pgp Description: Цифровая подпись OpenPGP
Re: [gentoo-dev] Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
On 2017.06.23 19:54, Alice Ferrazzi wrote: [snip] > > As we already contribute to grsec in the past, > would be sad to see hardened-sources go away. > What about the possibility of Gentoo forking PaX ? > > -- > Thanks, > Alice Ferrazzi > > Gentoo Kernel Project Leader > Mail: Alice Ferrazzi > PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A > > Alice, Forking with what aim? Keeping the existing functionality alive in line with kernel developments or that and adding new features. -- Regards, Roy Bamford (Neddyseagoon) a member of elections gentoo-ops forum-mods pgpsyL177pvC6.pgp Description: PGP signature
Re: [gentoo-dev] Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
On Sat, Jun 24, 2017 at 5:48 AM, Roy Bamford wrote: > On 2017.06.23 19:54, Alice Ferrazzi wrote: > [snip] >> >> As we already contribute to grsec in the past, >> would be sad to see hardened-sources go away. >> What about the possibility of Gentoo forking PaX ? >> >> -- >> Thanks, >> Alice Ferrazzi >> >> Gentoo Kernel Project Leader >> Mail: Alice Ferrazzi >> PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A >> >> > > Alice, > > Forking with what aim? > Keeping the existing functionality alive in line with kernel > developments or that and adding new features. > As now we have not enough resource for add new feature, we can maybe consider to keep alive PaX. I heard that also Alpine linux is thinking what to do. Maybe we could ask to merge the efforts. https://forum.alpinelinux.org/forum/pax-grsecurity/future-grsecurity-alpine -- Thanks, Alice Ferrazzi Gentoo Kernel Project Leader Mail: Alice Ferrazzi PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
