Hi Here is the meeting log.
/Magnus
[21:03:41] <Zorry> 1.0 Toolchain [21:03:57] <Zorry> gcc 4.7 have been unmasked [21:04:18] <Zorry> and 4.8 my hit rc1 next week [21:04:43] <Zorry> and i have x86/amd64/arm support added in the h-dev overaly [21:05:05] <Zorry> and will add the rest this week end for spec testing [21:05:48] <Zorry> blueness: do you have anything on uclibc [21:05:57] <blueness> just maintenance really [21:06:05] <blueness> so nothing new, but it is up to date [21:06:18] <Zorry> any one else? [21:06:31] <miniBill> blueness: may I pm you? [21:06:43] <blueness> miniBill, sure but i'm in the meeting now [21:06:45] <Zorry> next then [21:06:47] <blueness> so answer will be slow [21:06:48] <blueness> next [21:07:02] <Zorry> 2.0 Kernel & grsec/pax [21:07:14] <blueness> okay two reports [21:07:31] <blueness> 1) recent vanilla had some issues [21:07:53] <blueness> there was a local root escalation, so I had to rapid stabilize 3.7.5-r1 [21:08:13] <blueness> but there was an issue with dovecot, specifically with the size of VSIZE memory [21:08:27] <blueness> so i may have to test and stabilize a 3.8.x soon [21:08:44] <blueness> i hate it when i rapid stabilize because we always miss something [21:09:14] <blueness> but i had little choice, the diag_socks[] exploit would cause x86 hardened sources to instantly panic [21:09:18] <blueness> and reboot [21:09:21] <blueness> so [21:09:34] <blueness> maybe i can ask people to test the most recent 3.8 and see if any have issues [21:10:11] <blueness> 2) we are very close to the XATTR_PAX migration, i have the eclass ready and i will announce it for review on gentoo-dev@ this weekend [21:10:35] <blueness> we had some bugs but Alphat-pc caught quite a few bugs and it all looks good [21:11:01] <blueness> but there is one tiny issue [21:11:14] <blueness> it has to do with pax migration on systems which use paludis [21:11:53] <blueness> paludis does NOT record NEEDED.ELF.2 information (linkage information) and so its hard to run python against portage to get all the linkage information on a system [21:11:55] <blueness> so [21:12:09] <blueness> i will write revdep-pax-ng and migrate-pax-ng, ng = non-gentoo [21:12:12] <blueness> it will be much slower [21:12:43] <blueness> the paludis dev was not at all sympathetic and it will be faster to do it this way than to try to get NEEDED.ELF.2 into pms specs [21:12:45] <lejonet> blueness: I got 3.8.0 running, freshly rebooted into actually, on my server, if you need any tests done just ask :) [21:13:00] <SwifT> call it "-noportage", -ng gives the impression of "next generation" or so, like syslog-ng [21:13:15] <blueness> SwifT, that's kinda the joke :) [21:13:25] <blueness> i can do that [21:13:59] <blueness> why i have to reconstruct linkage info that there from when you emerge is beyond me, but the paludis dev didn't seem to get that [21:14:23] <blueness> zac medico thought it was a good idea ... shrug [21:14:34] <blueness> any other questions? [21:14:54] <Aleister> -lg [21:14:59] <blueness> lg? [21:15:05] <Aleister> last-generation [21:15:21] <SwifT> or -portage-rules -- the paludis users will love to call such tools [21:15:21] <blueness> heh [21:15:41] <SwifT> but we digress [21:16:00] <blueness> one of the things i love about portage is that it has such rich info about the state of your system, why degrade that is beyond me [21:16:20] <blueness> i am able to construct complete linkage maps with the exceptions of plugins of course [21:16:28] <blueness> and precompiled binaries [21:17:18] <blueness> lejonet, sorry for the delay, try all the major things you can with a server and let me know if anything breask [21:17:28] <blueness> next? [21:17:33] <lejonet> blueness: sure thing [21:17:43] <lejonet> and no probs regarding delay :) [21:17:45] <Zorry> pipacs: do you have anything from upstream? [21:17:52] <Aleister> blueness: ill see if i can roll that out too in the weekend :) [21:18:03] <blueness> thanks [21:18:09] <Zorry> else next then [21:18:19] <pipacs> nothing really [21:18:22] <Zorry> 3.0 Selinux [21:18:32] <pipacs> perhaps watch out for constification related breakage when spender takes in the latest pax changes ;) [21:18:40] <pipacs> that'll likely break external modules as usual [21:18:51] <pipacs> cc me on the bugs and i'll see what i can do [21:18:56] <Zorry> k [21:19:05] <blueness> pipacs, that's been my experience, modules are the most fragile part of the kernel [21:19:10] <blueness> wrt constification [21:19:33] <SwifT> the rev11 policies have been stabilized a few weeks ago, rev12 is in the making. Nothing major, just a sync with upstream and a patch or 7 from bugs on bugs.gentoo.org [21:19:38] <lejonet> pipacs: you just like breaking things, don't you? :P [21:19:43] <-- scarabeus (~scarabeus@gentoo/developer/flyingspaghettimonster/scarabeus) has quit (Client Quit) [21:20:06] <SwifT> i'm fiddling a bit with setools and policycoreutils now, one because of a new upstream release (setools), the other due to a build issue when not using PAM [21:20:20] <SwifT> I should have their packages in the hardened-dev overlay this week [21:20:40] <SwifT> I also released a new SELinux-enabled VM onto the experimental/amd64/qemu-linux location on our mirrors [21:20:54] <SwifT> it runs the at that time latest policy and a stable system [21:21:13] <SwifT> it has many grsecurity settings enabled, including pax (of course) and uses IMA/EVM as well [21:21:43] <SwifT> i'm also converting my VMs to use this selinuxnode image as their base, so that I can quickly release newer versions [21:22:06] <SwifT> that's it for SELinux (non-docs related) [21:22:33] <Zorry> any one else? [21:22:56] <Zorry> 4.0 Profiles [21:23:26] <Zorry> i don't have anything and 13.0 runs fine for me [21:23:43] <Zorry> blueness: do you have anything? [21:23:56] <blueness> Zorry, not really just one minor point for hardened mips [21:24:02] <blueness> that's glibc hardened mips [21:24:07] <pipacs> question: do you guys support arm? [21:24:12] <blueness> pipacs, yes [21:24:26] <blueness> the hardened mips profiles are different [21:24:31] <pipacs> with 3.8 there's uderef/kernexec support on arm now (in case you haven't read spender's blog) ;) [21:24:42] <pipacs> and i'm wondering if there're any users experimenting with it already [21:24:44] <blueness> they don't inherit in the same way as the others, so i went ahead and switched them to 13.0 [21:24:49] <miniBill> jeez, this resize2fs is taking *forever! [21:25:22] <blueness> so we still have to switch the other arches from 10.0 to 13.0 but mips i had to switch right away [21:25:38] <blueness> its okay the only hardened mips out there is the lemote stuff and i'm taking care of that [21:26:05] <blueness> pipacs, we support arm for userland for sure, but kernel + arm is a bit harder [21:26:18] <blueness> eg the chromebooks [21:26:43] <blueness> i can try later compiling a 3.8 kernel for them and see if i can get it to boot off of sd card [21:26:47] <Zero_Chaos> blueness: I have an ebuild for the chromebook official kernel in the pentoo overlay if it helps you in any way [21:26:51] <blueness> if i can, then i can do kerneland testing [21:26:56] <pipacs> i hope there'll be more users on arm too [21:27:02] <blueness> Zero_Chaos, i don't need that, just to know that it works [21:27:06] <pipacs> as in hardened users [21:27:24] <blueness> pipacs, okay i can up that support [21:27:35] <blueness> right now when i stabilize a kernel, i do so only on amd64 and x86 [21:27:43] <blueness> i can add in arm [21:27:56] <blueness> but embedded is always a bit trickier [21:28:13] <blueness> certainly with the genesi efika's it'll be a no go [21:28:21] <steev> UR A NO GO [21:28:40] <blueness> steev, what do you think? a 3.8 on a genesi efika? [21:28:50] <steev> good luck with that [21:28:55] <blueness> that's what i'm thinking [21:29:00] <steev> since there's 0 support in the kernel [21:29:04] <blueness> right [21:29:05] <steev> mainline [21:29:16] <steev> i have it sitting on my computer here, but without usb it's fairly useless [21:29:41] <Zorry> geting liltel of topic on profiles [21:29:41] <blueness> i'd have to grab the hardware support out of the genesi repo and try to bump it up to 3.8 to test pipacs latest hardening there [21:29:45] <blueness> yes [21:30:02] <Zorry> next? [21:30:16] <blueness> Zorry, actually nothing more on the topic of profiles from me, we just need to think about when to make the final switch to 13.0 [21:30:24] <blueness> maybe another month? [21:30:31] <Zorry> +1 [21:30:54] <blueness> k [21:31:10] <Zorry> 5.0 System interity [21:31:24] <Zorry> SwifT: ^^ [21:31:35] <SwifT> the necessary userland utilities have been moved to the main tree; still ~arch for now [21:31:45] <SwifT> but i'll stabilize them after the appropriate 30 days [21:32:15] <SwifT> IMA support, even with custom (selinux-driven) policies work well. EVM is giving me a small headache though, but there have been some patches made to the code base upstream so we might need those [21:32:25] <SwifT> until then, running with EVM=fix is the best thing to do [21:32:35] <SwifT> i'll try and debug this further later [21:33:05] <SwifT> I'm also experimenting with their kernel module signing support, so expect a documentation update on that later this month [21:33:17] <blueness> SwifT, what state is the documentation in? [21:33:41] <SwifT> the documentation reflects the current state nicely; some of the docs have even been moved to the gentoo wiki as per last months' suggestion [21:33:58] <SwifT> I try to kee the documentation up to par with the rest [21:34:04] <blueness> SwifT, does the main page point to the wiki and vice versa? [21:34:22] <blueness> i'd like to try it soon, but since i don't know what i'm doing, i'll need to read your stuff [21:34:23] <SwifT> the main page still points to the xml on the site, but the xml redirects to the wiki immediately then [21:34:32] <blueness> k [21:34:35] <SwifT> i'll update the links on the project site to point to the wiki immediately later (tomorrow or so) [21:34:49] <SwifT> yes, reading is advised when trying to fiddle with IMA/EVM [21:35:32] <lejonet> blueness, pipacs: radegand was having troubles regarding pax patches and 3.8.0 for arm [21:35:53] <Zorry> lejonet: that that on bugs [21:35:54] <pipacs> we discussed it in bugzilla i think [21:36:02] <pipacs> gcc plugin header installation is buggy on arm [21:36:11] <Zorry> SwifT: done? [21:36:12] <lejonet> Zorry: was just mentioning it now as they touched arm + kernel :) [21:36:16] <SwifT> Zorry: yup [21:36:31] <Zorry> 6.0 Docs [21:36:40] <prometheanfire> I'm here [21:36:41] <prometheanfire> sorry [21:36:53] <Zorry> don't have anything there [21:36:56] <Zorry> klondike: SwifT ? [21:36:57] <SwifT> i've moved a few documents (those that are not development oriented) to the wiki (the integrity and selinux ones) [21:37:17] <SwifT> i'll check with klondike which other documents can be moved to the wiki as well [21:37:29] <klondike> Not again [21:37:37] <klondike> Have I missed the rollcall? [21:37:43] <SwifT> it's a matter of converting the xml to wiki (automatically) and then updating the xml to redirect to the wiki [21:38:15] <blueness> SwifT, i'd appreciate a better organization of the docs, i like the way you collected all the selinux docs together [21:38:38] <blueness> i was going to try to better group the pax docs but that never happened :( [21:39:08] <SwifT> blueness: the wiki isn't really organized at all, but we can always rename/move wiki documents if we don't like the name. However, I think for most of our hardened documents, this should be doable [21:39:24] <SwifT> blueness: once we have the documents *somewhere* we can easily structure the links to the documents on the project page (regardless where they are at) [21:39:43] <blueness> true [21:40:11] <miniBill> whoever didn't provide resize2fs with a way to report to the user even if started with the default command line should be eviscerated [21:40:13] <blueness> maybe i'm obsessing too much about a uniform touch and feel [21:40:40] <radegand> lejonet, pipacs is trying to reproduce the issue I've got with pax on arm [21:40:49] <lejonet> ah [21:40:53] <SwifT> no other stuff on hardened docs from me [21:40:59] <Zorry> next then? [21:41:01] <blueness> same here, [21:41:11] <Zorry> 7.0 Bugs [21:41:18] <klondike> Zorry: very busy with deadlines no news from me at all I'm afraid [21:41:34] <Zorry> do we have any thing on bugs? [21:41:55] <Zorry> next then? [21:42:02] <Zorry> 8.0 Media [21:42:34] <blueness> Zorry, we did have something on bugs, but we arleady talked about it above [21:43:01] <Zorry> blueness: did figur that [21:43:15] <Zorry> okay next then? [21:43:31] <Zorry> 9.0 Open floor
