W dniu nie, 15.04.2018 o godzinie 20∶04 -0400, użytkownik Anthony G.
Basile napisał:
> Hi everyone,
> Magnus (aka Zorry) and I have been talking about what to do with PaX in
> the Gentoo tree.  A year ago, grsecurity.net upstream stopped providing
> open versions of their patches to the community and this basically
> brought an end to sys-kernel/hardened-sources.  I waited a while before
> masking the package in the hope that upstream might reconsider.  There
> were also some forks but I didn't have much confidence in them.  I'm not
> sure that any of these forks have been able to keep up past
> meltdown/specter.
> It may be time to remove sys-kernel/hardened-sources completely from the
> tree.  Removing the package is easy, but the issue is there is a lot of
> machinery in the tree that revolves around supporting a PaX kernel.
> This involves things like setting PaX flags on some executables either
> by touching the ELF program headers or the file's extended attributes,
> or applying custom patches.
> The question then is, do we remove all this code?  As thing stands, its
> just lint that serves no current purpose, so removing it would clean
> things up.  The disadvantage is it would be a pita to ever restore it if
> we ever wanted it back.  While upstream doesn't provide their patch for
> free, some users/companies can purchase the grsecurity patches and still
> use a custom hardened-sources kernel with Gentoo.  But since we haven't
> been able to test the pax markings/custom patches in about a year, its
> hard to say how useful that code might still be.

I'd dare say keeping pax-marking in ebuilds doesn't harm, at least
as long as we don't get reports that it's broken altogether.

It's not like most of us has been able to test it anyway.  The only pax-
marks ever added to my ebuilds were by patches supplied by people
actually using those kernels.  In this context, not much has changed for
most of our developers (i.e. 'can test' and 'will test' are two
different things).

One thing Hardened project should do is make a clear statement to other
developers -- i.e. indicate whether I should CC hardened@ when someone
has PaX problems and doesn't provide a patch, or just close the bug
saying that we can't solve it without a patch.

Best regards,
Michał Górny

Reply via email to