Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On 06/23/2017 12:28, Anthony G. Basile wrote: > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources > kernel, their decision has serious repercussions for the Hardened Gentoo > project. I will no longer be able to support hardened-sources and will > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from > PaX support. > > I waited two months before saying anything because the reasons were more > of a political nature than some technical issue. At this point, I think > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal, > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. > > I welcome feedback. > So short-term, what's the next step one can do to hop off the hardened-sources train before it runs out of track without a full rebuild? I'm planning on a full rebuild/re-install eventually for my dev box, but it has been stuck on kernel 4.9.x since this shindig went down and I'd like to get ahead to 4.11 or 4.12 instead of using my SGI machines to discover new surprises. Safe for now to just switch to gentoo-sources while retaining hardened toolchain? Or would there be a few additional steps needed? I only use PaX for mprotect() and the ALSR capabilities, though I suspect those might be in the standard sauce by now. As such, I haven't had to deal with userland issues and PaX too much over the years. -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 6144R/F5C6C943 2015-04-27 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
[gentoo-dev] Automated Package Removal and Addition Tracker, for the week ending 2017-06-25 23:59 UTC
The attached list notes all of the packages that were added or removed from the tree, for the week ending 2017-06-25 23:59 UTC. Removals: Additions: app-crypt/acme-tiny 20170620-22:46 NP-Hardass cbc49b3b9bb app-emulation/skopeo 20170623-21:55 williamh ea3aa51b57d dev-ml/bos 20170620-21:31 aballier b90ef0cb966 dev-ml/fpath 20170620-21:26 aballier 1198068d5fb dev-ml/patience_diff 20170622-12:36 aballier 2bbea554372 dev-ml/rresult 20170620-21:22 aballier 4a66c2b46db dev-perl/Alien-Gnuplot 20170623-16:46 dilfridge 0e4a6567a2d dev-perl/Dist-Zilla-Plugin-PodWeaver 20170620-20:11 dilfridge bbdad215676 dev-perl/PDL-Graphics-Gnuplot20170623-16:46 dilfridge 06c583613f5 dev-perl/PDL-Transform-Color 20170623-16:41 dilfridge 346d7be79fe dev-perl/Pod-Elemental 20170620-19:48 dilfridge 510607269f0 dev-perl/Pod-Elemental-PerlMunger20170620-19:50 dilfridge 6a84b4ab1e4 dev-perl/Pod-Weaver 20170620-20:09 dilfridge 8102a3598f1 dev-perl/String-Truncate 20170620-19:45 dilfridge 91425d9f3d0 dev-python/colorspacious 20170609-12:22 floppyme72a8e5565a dev-python/pycobertura 20170621-14:01 mrueg 41982a2524f dev-python/xapp 20170624-14:56 k_fe59440133fa dev-util/patdiff 20170622-12:38 aballier e85c0d27917 media-libs/libffado 20170623-12:33 aballier 0e4e3a0c73b net-fs/minio 20170623-17:57 mrueg 97ed822298b net-libs/nDPI20170619-12:01 slis 805c605a0da net-wireless/bluez-tools 20170625-19:45 k_f45d64309354 -- Robin Hugh Johnson Gentoo Linux Developer E-Mail : robb...@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 Removed Packages: Added Packages: net-wireless/bluez-tools,added,k_f,20170625-19:45,45d64309354 media-libs/libffado,added,aballier,20170623-12:33,0e4e3a0c73b dev-python/xapp,added,k_f,20170624-14:56,e59440133fa app-emulation/skopeo,added,williamh,20170623-21:55,ea3aa51b57d net-fs/minio,added,mrueg,20170623-17:57,97ed822298b dev-perl/PDL-Graphics-Gnuplot,added,dilfridge,20170623-16:46,06c583613f5 dev-perl/Alien-Gnuplot,added,dilfridge,20170623-16:46,0e4a6567a2d dev-perl/PDL-Transform-Color,added,dilfridge,20170623-16:41,346d7be79fe dev-util/patdiff,added,aballier,20170622-12:38,e85c0d27917 dev-ml/patience_diff,added,aballier,20170622-12:36,2bbea554372 dev-python/pycobertura,added,mrueg,20170621-14:01,41982a2524f dev-python/colorspacious,added,floppym,20170609-12:22,e72a8e5565a app-crypt/acme-tiny,added,NP-Hardass,20170620-22:46,cbc49b3b9bb dev-ml/bos,added,aballier,20170620-21:31,b90ef0cb966 dev-ml/fpath,added,aballier,20170620-21:26,1198068d5fb dev-ml/rresult,added,aballier,20170620-21:22,4a66c2b46db dev-perl/Dist-Zilla-Plugin-PodWeaver,added,dilfridge,20170620-20:11,bbdad215676 dev-perl/Pod-Weaver,added,dilfridge,20170620-20:09,8102a3598f1 dev-perl/Pod-Elemental-PerlMunger,added,dilfridge,20170620-19:50,6a84b4ab1e4 dev-perl/Pod-Elemental,added,dilfridge,20170620-19:48,510607269f0 dev-perl/String-Truncate,added,dilfridge,20170620-19:45,91425d9f3d0 net-libs/nDPI,added,slis,20170619-12:01,805c605a0da Done.
Re: [gentoo-dev] Last rites: ruby21-only packages
On Sat, 2017-06-24 at 16:09 +0500, Azamat Hackimov wrote: > Hello. > I submitted proxy-maintainer request some time ago for redmine: https > ://bugs.gentoo.org/show_bug.cgi?id=590646 > And here PR for new 3.3.3: https://github.com/gentoo/gentoo/pull/4550 I've added some comments to that pull request. > 2017-06-24 14:23 GMT+05:00 M. J. Everitt : > > On 23/06/17 08:45, Hans de Graaff wrote: > > > > > > Really? I find it hard to believe that a common package like > > redmine is > > > > ruby-21 only?! ruby21-only in Gentoo and with no maintainer to file a bug. Given that there is a pending pull request I've looked at this again and added ruby22 as well, while loosening the dev-ruby/builder dependency that was ruby21-only, and unmasked the package again. Hans signature.asc Description: This is a digitally signed message part