Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On Fri, May 12, 2017, at 16:38, Alex Efros wrote: > Hi! > > On Fri, May 12, 2017 at 09:10:43PM +0200, "Tóth Attila" wrote: > > Please take a look at on the reply of PaxTeam postend on the openwall > > mailing list: > > http://openwall.com/lists/kernel-hardening/2017/05/11/2 > > What's for? It's

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

2017.Május 8.(H) 23:12 időpontban Andrew Savchenko ezt írta: > Most likely KSPP project will come up, they are doing a good job: > bringing security features upstream fixing bugs in PaX code during > the process [1]. This is what PaX should have done long time ago, > they were even offered CII

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On 170508-22:49+0200, Miroslav Rovis wrote: > ... > I'll be back with an ebuild to discuss. > ... > On 170508-22:07+0200, Mathias Krause wrote: > > On 8 May 2017 at 20:08, Miroslav Rovis wrote: ... > > > Unofficial forward ports of the last publicly available

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On Mon, 1 May 2017 13:58:08 + Sven Vermeulen wrote: > On Mon, May 01, 2017 at 01:28:54PM +0300, Andrew Savchenko wrote: > > > The obvious step is indeed to stop further *current* development on > > > hardened-sources. > > > > Why not support hardened-sources while corresponding vanilla > >

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

(thanks also to Luis Ressel for clarifications in the other email) (I'm only top posting because this reply of mine has no particularities to place it btwn any lines further below. Otherwise, I don't top post.) Mathias, I only wish to thank you for the quick reply and the tips below. And all my

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On 8 May 2017 at 20:08, Miroslav Rovis wrote: > [...] > But I saw the other link that gives me some hope: > > Unofficial forward ports of the last publicly available grsecurity patch >

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

Hi, I don't have much to add, but I'd like to clear two misunderstandings here: On Mon, 8 May 2017 20:08:07 +0200 Miroslav Rovis wrote: > And really since late in 2016 no more entries in the Changelog. Pls. > note that I'm only stating the facts, not complaining.

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On 170502-10:28+0200, Daniel Cegiełka wrote: > https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project > > It closes the topic of our discussion. > And I read all the discussion in gentoo-hardened in regard. First, I'm a user[1], and I'm trying to continue to keep safe and secure as I

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

Hi! On Tue, May 02, 2017 at 09:58:18PM +0200, Daniel Cegiełka wrote: > This means that any future solution will not be compatible with current > PaX support. It doesn't means that. That may happens, or not - if someone will bother about compatibility, for example. I also think it makes sense to

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

2017-05-02 19:23 GMT+02:00 "Tóth Attila" : > 2017.Május 2.(K) 18:59 időpontban Daniel Cegiełka ezt írta: >>> pax.?mark actually, since the eclass helper is called pax-mark. :) >>> I'd hold off on removing those for at least a few months, though. >>> >> >> If PAX_MPROTECT

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

2017-05-02 18:02 GMT+02:00 Luis Ressel : > On Tue, 2 May 2017 17:56:22 +0200 > Daniel Cegiełka wrote: > >> grep -r -e paxmark -e pax_kernel /usr/portage/ > > pax.?mark actually, since the eclass helper is called pax-mark. :) > I'd hold off on removing

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On Tue, 2 May 2017 17:56:22 +0200 Daniel Cegiełka wrote: > grep -r -e paxmark -e pax_kernel /usr/portage/ pax.?mark actually, since the eclass helper is called pax-mark. :) I'd hold off on removing those for at least a few months, though. Regards, Luis

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

2017-05-02 17:28 GMT+02:00 Luis Ressel : > On Mon, 1 May 2017 09:38:43 + > Sven Vermeulen wrote: > >> The obvious step is indeed to stop further *current* development on >> hardened-sources. I don't know how many additional patchsets are being >> implemented

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On Mon, 1 May 2017 09:38:43 + Sven Vermeulen wrote: > The obvious step is indeed to stop further *current* development on > hardened-sources. I don't know how many additional patchsets are being > implemented in it (blueness? Zorry?) so I don't know if it means that >

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project It closes the topic of our discussion. worth reading: http://openwall.com/lists/kernel-hardening/2017/05/01/5 http://openwall.com/lists/kernel-hardening/2017/05/02/4 this means: * KSPP means that keeping PaX for >4.9 will be

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

Shouldn't go to 4.10+, because it will be too much work. Best would be to maintain 4.9 LTS and not bother with 4.10 and all that. On 05/01/2017 04:53 PM, Daniel Cegiełka wrote: > 2017-05-01 16:20 GMT+02:00 SK : >> There is Subgraph that is going to keep maintaining 4.9.X

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

2017-05-01 16:20 GMT+02:00 SK : > There is Subgraph that is going to keep maintaining 4.9.X LTS branch > with grsec & there is minipli[1] that is going to forward 4.9.X LTS > branch with grsec. > > Would be great to join forces to keep 4.9.X LTS alive while porting >

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

There is Subgraph that is going to keep maintaining 4.9.X LTS branch with grsec & there is minipli[1] that is going to forward 4.9.X LTS branch with grsec. Would be great to join forces to keep 4.9.X LTS alive while porting features upstream. 1.

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On Mon, May 01, 2017 at 01:28:54PM +0300, Andrew Savchenko wrote: > > The obvious step is indeed to stop further *current* development on > > hardened-sources. > > Why not support hardened-sources while corresponding vanilla > kernels are still supported? E.g. 4.9 is a longterm branch, so we >

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

2017-05-01 13:00 GMT+02:00 Andrew Savchenko : > Hi, > > On Mon, 1 May 2017 12:24:14 +0200 Daniel Cegiełka wrote: > Are you sure PaX patches will be updated? Because PaXTeam claims > they will not be published [1]: (...) > Or do you suggest to support PaX with our own

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

Hi, On Mon, 1 May 2017 12:24:14 +0200 Daniel Cegiełka wrote: [...] > Summing up: > > * PaX is the most important part of Gentoo Hardened project > (Grsecurity, SELinux, RSBAC) > > * We can't use the 'grsecurity' name, which means that fork of > grsecurity == rewriting everything with

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

On Mon, 1 May 2017 09:38:43 + Sven Vermeulen wrote: > Hi all, > > There is a nice debate ongoing on the mailinglist [1] on the topic of > grsecurity's recent decision to no longer provide the test patches to the > public. I'd like to keep the debate on the rationale of it in that >

Re: [gentoo-hardened] Technical repercussions of grsecurity removal

2017-05-01 11:38 GMT+02:00 Sven Vermeulen : > Hi all, > > There is a nice debate ongoing on the mailinglist [1] on the topic of > grsecurity's recent decision to no longer provide the test patches to the > public. I'd like to keep the debate on the rationale of it in that >