On 06/23/2017 12:28, Anthony G. Basile wrote: > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources > kernel, their decision has serious repercussions for the Hardened Gentoo > project. I will no longer be able to support hardened-sources and will > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from > PaX support. > > I waited two months before saying anything because the reasons were more > of a political nature than some technical issue. At this point, I think > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal, > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. > > I welcome feedback. >
So short-term, what's the next step one can do to hop off the hardened-sources train before it runs out of track without a full rebuild? I'm planning on a full rebuild/re-install eventually for my dev box, but it has been stuck on kernel 4.9.x since this shindig went down and I'd like to get ahead to 4.11 or 4.12 instead of using my SGI machines to discover new surprises. Safe for now to just switch to gentoo-sources while retaining hardened toolchain? Or would there be a few additional steps needed? I only use PaX for mprotect() and the ALSR capabilities, though I suspect those might be in the standard sauce by now. As such, I haven't had to deal with userland issues and PaX too much over the years. -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 6144R/F5C6C943 2015-04-27 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
