Re: [gentoo-dev] Creating a Gentoo built with Address Sanitizer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/02/2015 03:12 PM, Hanno Böck wrote: Hi, Hi Hanno, this sounds great! .. For now I just wanted to announce that I'm working on this, so people who care can get in touch with me. I'll probably write a detailed blog post at some point. Depending on how much interest there is this may be something Gentoo wants to consider as an official project and publish official stage tarballs. This might be something that can be interesting for the Auditing subproject of Security as well - -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJVlTpKAAoJECULev7WN52FddEH/Ahu5Pv1HoC4gJilEbOojsPj Yiex0b/HtBxsHcAkNfaFhc83ho3eX1yOoMj69Hh7Lc7+HItF1UFdIxJZ3XykYO4H fiZXonW0kcjuK2VKQnh/kQKju1NdALBHKuXQTZXKAz0NSId8/Pp9AUylWUHP6Btk EE8S+dBlntAm0xDZw6VbVerPCOEVGGDRRnJg8FqiX92JNPuRDt6jDJCRLy/q6rBF XyqSz4KG4dVa4xrlnemo1n/tZR2xRBBPRq+edYKZmIhELCuqZh2jZeRX3b5HSk1k maNou8o1at9lej+BqhNM1snFqWX0bZTQQfPq7erUIPfa6ZUq6LPhQSH/9gTpTMc= =RGP5 -END PGP SIGNATURE-
[gentoo-dev] Creating a Gentoo built with Address Sanitizer
Hi,
A quick intro for people who don't know address sanitizer (asan): It's a
feature of gcc and clang adding bounds-checking to c (enabled with
-fsanitize=address command line), which will cause applications to crash
and throw an error if an invalid memory access happens.
Very simple example:
int a[2]={1, 1};
int b=a[2];
This is invalid because a[2] does not exist, but usually software will
silently ignore such errors. Address Sanitizer catches them.
Address Sanitizer is supposed to be a debugging-tool, because it slows
down things quite a lot.
I've been playing with the idea of having a full system with almost
everything build with address sanitizer for quite a while. Gentoo is
obviously a good choice for such a system due to it being source based
and flexible.
I by now have a rudimentary system running in a chroot where everything
except glibc, gcc and some deps of gcc is built with asan. I'll probably
publish a stage tarball at some point. As asan has been around for a
while a lot of stuff is already fixed, so often it's merely a take the
newer version of package X and it works. But in the process of trying
to run such a system I already reported a couple of bugs to the
corresponding upstreams (e.g. recently in bash).
Why's that interesting? First of all it lets you find bugs. There may
be corner cases, but I'm right now not aware of any situation where an
error by address sanitizer happens in legit code. An out of bounds
access or other memory access errors are always a bug.
So in an ideal world it should be possible to just recompile
everything with asan and it runs. (You just need to consider the order
of recompiling things - you can run an asan-ized software with
non-asan-libs, but you cannot do it the other way round: non-asan
software with asan-libs break.)
Such a system could also be interesting as a high security linux
variant not vulnerable to common buffer overflows and other memory
errors. It is slower, but that may be acceptable. (However it should be
said that right now asan is incompatible with grsecurity - and probably
people who want a high secure linux variant want grsecurity.)
For now I just wanted to announce that I'm working on this, so people
who care can get in touch with me. I'll probably write a detailed blog
post at some point.
Depending on how much interest there is this may be something Gentoo
wants to consider as an official project and publish official stage
tarballs.
cu, Hanno
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
Re: [gentoo-dev] Creating a Gentoo built with Address Sanitizer
On 7/2/15 9:12 AM, Hanno Böck wrote: Hi, Such a system could also be interesting as a high security linux variant not vulnerable to common buffer overflows and other memory errors. It is slower, but that may be acceptable. (However it should be said that right now asan is incompatible with grsecurity - and probably people who want a high secure linux variant want grsecurity.) Its actually PaX that is incompatible with -fsanitize=address because of the shadowing of the address space, so you can still use grsec and the other protections it provides like hardneing of chroots or rbac. Just turn off PaX when configuring the kernel. (Note: pax should be okay with -fsanitize=thread but I haven't tested). I think this is a cool project, but I'm more interested in asan's debugging abilities than a run time tool to stop memory abuses. I like pax's approach where the *kernel* simply doesn't allow certain memory uses, eg, pages are allocated either read+write or read+execute but never write+execute. I'd like to play with an amd64 stage3 and see how it asan gets along with the hardened toolchain and hardened kernel. For now I just wanted to announce that I'm working on this, so people who care can get in touch with me. I'll probably write a detailed blog post at some point. Depending on how much interest there is this may be something Gentoo wants to consider as an official project and publish official stage tarballs. cu, Hanno -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
Re: [gentoo-dev] Git Migration: launch plan schedule (2015/Aug/08-09)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/02/2015 05:39 PM, Robin H. Johnson wrote: Hi all, The Git migration is moving forward, and I'd like to announce a tentative schedule for that end. https://wiki.gentoo.org/wiki/Project:Infrastructure/Git_migration#Stat us 2015/08/08 15:00 UTC - Freeze 2015/08/08 19:00 UTC - Git commits open for developers 2015/08/09 01:00 UTC - Rsync live again (with lagged changelog) 2015/08/11 - History repo available to graft 2015/08/12 - rsync mirrors carry up-to-date changelogs again I've allocated time for an 8 hour freeze, but hope to be completed much sooner than that. Sounds good. Thanks to all the hard workers out there. Does this mean that https://wiki.gentoo.org/wiki/Gentoo_git_workflow is no longer draft or needs work or another document is meant to display the new flow? Brian -BEGIN PGP SIGNATURE- Version: GnuPG v2.0 iQJ8BAEBCgBmBQJVlelqXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NkMyRTQ0RUQ5MEUzMjc1OEU3RDU1QzBE MUY3ODFFRkY5RjRBM0I2AAoJENH3ge/59KO243gQAJDjnfy15Pq0sBjRbVwEf+fg 9yKUHLMRreB35/mt9ywqX6i/qgm02V1Nzhm0mfA56zZIkg1rAQXIznojH22SQhzy P24c9zcCKXUTHaar/qOsGXfFqdSxVjAYsNwcurbUm1z0HvcvbmO+CP4AE3paqHXo xEAO+vQx38oBx+hItcSshXBuPYew/cKUKEwGYaL7U1KsUXwKT0dWM1n3yuxezTOr bOlzX1EGVlu9VJ9/svEEkxHfzD5GYpuHiDnDfKsdswFzdwaZEqh4jCB9fjPL1ewQ uLUZLD6kJgaYxVCY7fNUMZXS7qgoeCYHKQw5+tgVxXayb+x6szhH9SJ0f0ZYNInE 85xpE2i10WaAkbVWMsRSzitUaq/DwIwjrQAged/YXsKA9MU4nLD8nVKkQbEbeglU lpGs5JMOeTOct4G+Og4yZLyxEbi99Zs/kT6g6eAOHEYGzZZuJ4m/gWjAK/vvPtJQ ebb5IBoeaON+riMgCNT79Bk2eGT+VZnSHA7Uz6MbI8lyt0sCld5cOoM4tnmmLI08 wRAZZjdDNJgCW3NT2hPXPIxCRojudHHHj4NW8rrGPba++m2IW96/Xc0fbDZjQKJR 4Xv4kaRpdQDcw+B5nATdB2sUJXyItTsIzHHCXzbKPmyphURSNQJaHKr2vnsLebBI uKI4JA2Caw5N/idZaTC7 =hFP9 -END PGP SIGNATURE-
[gentoo-dev] [RFC] New Project: MATE
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Greetings all, Looking for some feedback on creating a new project and herd for the MATE Desktop environment. The goal, like many other DE based projects, is to provide up to date packaging and as complete an offering of the DE's packages as possible. Currently, the packages of the MATE Desktop DE are listed as maintained by TomWij (who is on long term devaway). Prior to acceptance into the Gentoo repo, it was worked on by lxnay and steev. All 3 have either not responded to inquiries, or have expressed limited interest in maintaining the DE. As a result, I felt the best way to support users was to move support of MATE away from any individual, and create a project and associated herd to manage the packages, thus allowing any developer that is interested in helping out an easy means of doing so. I've created a prospective Wiki project page: https://wiki.gentoo.org/wiki/Project:MATE and intend to have a mail alias, m...@gentoo.org, and an email channel for Gentoo support and development, #gentoo-mate. Any feedback regarding the aforementioned would be greatly appreciated. - -- NP-Hardass -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVlZPAAAoJEBzZQR2yrxj7JnwQAI1AVH5Qi2l6nuWoQDr6DcVf yJ5m4dKX5KOQ/oi0ftDAb+cSkE5fbTLl/mhyKlz0w9VBVPH9pzU/MvdXW979Sk7r mSvV3EFQZMiEUq2IO2YdDjWhiaZR75t5j8DLrdRUYcwr7Hd0UZQJij0gQ7IsUlyx iozoqu4mU24yEkBWSicoKxXOk+1UyWHlS86wcgCnJX4qghMGme4iOLlguqJZHQ+T ngWYxJ4lupPsCA7sTNBTVroxULOgoHF61VHAAtDCjw8h1YZySE/Oh6cBpYtRenh6 QNZltvxN71yVq/SnxNNPupWiY6Oj53BZnDvAPXs33AmQhlMFEpHIfu5Uw71WlDsO mJZBn6PSUfDcYihcifPe0M+ESc5Kln2TsacZ5Rm6fbX0K2WwPAw4foJF12Rx64V8 4eEqTCCn9EePnFNa8GwoNfBPblwZeOP0vlf1HvsUA2QamcQ1wx3dFGMG+uvnE4HW LYgI1AYMT1YXKQi+oiEPEo8f6IIBoCdnkaxJ9ThwEkTofxaR3/Ow4/cWrND2a/gq OdAwA4d8S6OYOiBCaGYIRhI724Hk7h/7W9Bb+d7g4LlKPGS/6KXHFzIVtGYaDvyp HqCwiF90X4Ts5TDv/SjS+rROYEMQovtachnNoudGcJvTLOUJ1z+MYR79NWTfsB4m 41UsiQRf5SPC4gpjdJ4V =BUDB -END PGP SIGNATURE-
Re: [gentoo-dev] [RFC] New Project: MATE
El jue, 02-07-2015 a las 15:40 -0400, NP-Hardass escribió: Greetings all, Looking for some feedback on creating a new project and herd for the MATE Desktop environment. The goal, like many other DE based projects, is to provide up to date packaging and as complete an offering of the DE's packages as possible. Currently, the packages of the MATE Desktop DE are listed as maintained by TomWij (who is on long term devaway). Prior to acceptance into the Gentoo repo, it was worked on by lxnay and steev. All 3 have either not responded to inquiries, or have expressed limited interest in maintaining the DE. As a result, I felt the best way to support users was to move support of MATE away from any individual, and create a project and associated herd to manage the packages, thus allowing any developer that is interested in helping out an easy means of doing so. I've created a prospective Wiki project page: https://wiki.gentoo.org/wiki/Project:MATE and intend to have a mail alias, m...@gentoo.org, and an email channel for Gentoo support and development, #gentoo-mate. Any feedback regarding the aforementioned would be greatly appreciated. -- NP-Hardass I fully agree and I hope that helps with current MATE maintenance that is a bit stalled due to Tomwij devaway Thanks!
[gentoo-dev] Git Migration: launch plan schedule (2015/Aug/08-09)
Hi all, The Git migration is moving forward, and I'd like to announce a tentative schedule for that end. https://wiki.gentoo.org/wiki/Project:Infrastructure/Git_migration#Status 2015/08/08 15:00 UTC - Freeze 2015/08/08 19:00 UTC - Git commits open for developers 2015/08/09 01:00 UTC - Rsync live again (with lagged changelog) 2015/08/11 - History repo available to graft 2015/08/12 - rsync mirrors carry up-to-date changelogs again I've allocated time for an 8 hour freeze, but hope to be completed much sooner than that. -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 signature.asc Description: Digital signature
Re: [gentoo-dev] Git Migration: launch plan schedule (2015/Aug/08-09)
Three cheers! Glad to see it happening. Thank you to everyone who helped to make this happen. -- NP-Hardass On July 2, 2015 5:39:52 PM EDT, Robin H. Johnson robb...@gentoo.org wrote: Hi all, The Git migration is moving forward, and I'd like to announce a tentative schedule for that end. https://wiki.gentoo.org/wiki/Project:Infrastructure/Git_migration#Status 2015/08/08 15:00 UTC - Freeze 2015/08/08 19:00 UTC - Git commits open for developers 2015/08/09 01:00 UTC - Rsync live again (with lagged changelog) 2015/08/11 - History repo available to graft 2015/08/12 - rsync mirrors carry up-to-date changelogs again I've allocated time for an 8 hour freeze, but hope to be completed much sooner than that. -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 -- NP-Hardass
