On Sat, Jun 22, 2013 at 12:46:01PM -0400, Anthony G. Basile wrote: > >>Another reason for dropping all vanilla-sources to ~arch is that we > >>have some Gentoo specific needs that upstream will not and should > >>not accept, eg we are making greater use of extended attributes in > >>our package management, so we need end-to-end copying of xattrs. > >>This means preserving certain namespaces (beyond security.* and > >>trusted.*) on tmpfs for emerge. Gentoo users that use > >>vanilla-sources will loose those xattr values making vanilla-sources > >>~ with respect to the rest of Gentoo. > >What? So we are now relying on kernel patches that are not merged > >upstream for proper operation of at Gentoo-based system? That's news to > >me, I've _never_ run a gentoo-based kernel on my boxes in all of my > >years as a Gentoo developer, with no problems, and I don't think we want > >to require this in the future, do you? > > Its related to PaX coming form the grsec/pax team.
Ah, this is just the "hardened" stuff, not the "normal" gentoo kernels, right? > >Also, why aren't these patches upstream? Were they rejected? Just not > >ready? No one submitted them? > > We need to maintain a special namespace on tmpfs beyond security.* > and trusted.* It is "user.pax.flags" and it is limited to 8 bytes. > Without it, we will not have end-to-end xattr support for the > namespaces we need in Gentoo. > > As for why they are not upstream, I can try. I'm like 99.9% certain > it will be rejected but at the very least, if the rejection is "we > don't need that crap" then I can safely ignore it, but if the > rejection is "there's a gapping security whole" then we can at least > address it even if in the end they pulled into vanilla. Any pointers to the patch so that I can take a look at it? thanks, greg k-h
