Here is the meeting log /Magnus
[00:03:00] <Zorry> 1.0 Toolchain [00:04:03] <Zorry> i have a fix for the hardenedno* and vannila gcc-config options in the h-dev gcc 4.8.1 [00:04:46] <Zorry> will add the fix to the tree when it tested some more [00:05:15] <Zorry> it have with the GCC_SPEC get added in the spec [00:05:42] <Zorry> with gcc 4.8 we need it soner the before [00:06:19] <Zorry> so it get to be rune before we do the driver_self_spec [00:06:36] <Zorry> the fix i have now fix that [00:06:52] <Zorry> i still have to fix the asan thing [00:07:14] <Zorry> else it gcc 4.8 works fine [00:08:01] <prometheanfire> cool [00:08:04] <Zorry> thats all from me and blueness will have more on uclibc later on [00:08:19] <Zorry> any one else? [00:08:24] <prometheanfire> non [00:08:27] <SwifT> nope [00:08:40] <Zorry> next then [00:08:44] <Zorry> 2.0 Selinux [00:09:02] <SwifT> I submitted policycoreutils-2.1.14-r3 to the tree which supports mcstrans [00:09:11] <SwifT> mcstrans is a tool used to make sensitivities more human-readable [00:09:22] <SwifT> so instead of "s0-s0:c0.c1024" it can now display whatever you want [00:09:35] <SwifT> mcstrans is, as the name suggests, for MCS and MLS policies only though [00:09:43] <SwifT> the selinux handbook has been updated in this regard [00:09:54] <SwifT> also, the ebuild now uses python-r1 eclass [00:10:16] <SwifT> same with sepolgen-1.1.9-r3, which fixes a few tests (FEATURES=test now works again for it ;-) and is also using python-r1 [00:10:38] <SwifT> policy-wise, 2.20130424-r2 is in the tree, ~arch'ed, with the regular set of updates [00:10:56] <SwifT> not much, just the bugs we had on it - upstream is very calm lately (well, so am I :p) [00:11:27] <prometheanfire> I've looked into creating openstack selinux policies, but they are moving to quick still. That's all I have for selinux. [00:11:40] <SwifT> and finally, I've been quite silent lately because I'm working on a SELinux book (for publication) which will of course reference Gentoo hardened as well ;) [00:11:52] <Zorry> :) [00:12:01] <SwifT> I'm hoping to finish this off by mid august, that should give me more time again to do gentoo-stuff [00:12:20] <prometheanfire> SwifT: from a friend, I've been told we have the best selinux docs online [00:12:37] <prometheanfire> and let us know when we can buy it :D [00:12:41] <SwifT> well, with the publication pending, I already have a few ideas to make them even better :) [00:13:03] <SwifT> that's it for selinux for now [00:13:12] <Zorry> any one else? [00:13:23] <Zorry> next then [00:13:28] <Zorry> 3.0 System Integrity [00:13:38] <SwifT> nothing here yet, sorry [00:14:04] <Zorry> k [00:14:18] <Zorry> next then [00:14:25] <Zorry> blueness|chromeb: there [00:14:47] <Zorry> else we jump over next [00:15:05] <Zorry> 5.0 Profiles [00:15:20] <Zorry> any news on that [00:15:48] <Zorry> okay next then [00:15:49] <SwifT> nope, and I'm actually glad I'm not ;) [00:16:00] <SwifT> means that our current set of profiles are well integrated and maintainable [00:16:17] <Zorry> 6.0 Docs [00:16:30] <SwifT> I have some [00:16:40] <Zorry> SwifT: go go [00:16:55] <SwifT> a3li is working his *** off on the Gentoo wiki; I suspect that in the next few weeks, we'll hear more about moving project pages to the gentoo wiki [00:17:14] <SwifT> i've "translated" all proejct pages, including hardened, to wiki style and they're available on my dev space [00:17:33] <SwifT> once we can, I will probably move all our content to the wiki [00:17:46] <SwifT> (all except selinux handbook because handbook format isn't "translated" yet) [00:17:57] <SwifT> that should allow for everyone easier "management" of the documentation [00:18:14] <SwifT> iirc, all documents in the Project: space on the wiki will only be editable by developers [00:18:46] <SwifT> the GDP docs are already moving to the wiki, not under Project: namespace (just the regular one) and that's working quite well [00:18:58] <SwifT> that's it [00:19:19] <Zorry> i don't have anything [00:19:27] <prometheanfire> pass [00:19:50] <Zorry> any one else? [00:19:59] <Zorry> next then [00:20:05] <Zorry> 7.0 bugs [00:20:54] <Zorry> any one [00:21:25] <Zorry> next then [00:21:26] <SwifT> nope, all quiet [00:21:34] <Zorry> 8.0 media [00:21:57] <Zorry> nothing [00:22:30] <Zorry> okay 9.0 open floor [00:22:53] <Zorry> and take 4.0 and 4.1 when blueness get in [00:23:44] <SwifT> I'm hoping to use the Linux.com article about Linux security features later to map our own project with the mentioned technologies [00:24:00] <blueness|chromeb> back [00:24:23] <Zorry> blueness|chromeb: point 4.0 .and 4.0 [00:24:23] <steev> blueness|chromeb: check out dat -arm pdf i linked you [00:24:25] <SwifT> blueness|chromeb: go go go [00:24:48] <Zorry> 4.0 Kernel and Grsec/PaX [00:24:53] <blueness|chromeb> okay [00:25:12] <blueness|chromeb> well, i'm very burnt out, too much work, so i've been relaxing [00:25:35] <blueness|chromeb> so i'm only doing minimal maintenance, but there is nothing much new [00:25:43] <blueness|chromeb> the pax xattr patch is in the kernels [00:25:53] <blueness|chromeb> so all users now have xattr on tmpfs [00:25:55] <blueness|chromeb> and [00:26:05] <blueness|chromeb> bug #465000 [00:26:08] <willikins> blueness|chromeb: https://bugs.gentoo.org/465000 "xattr pax-marking is failes when done before running install"; Gentoo Linux, Hardened; CONF; nikoli:hardened [00:26:23] <blueness|chromeb> is done, portage now preserves xattr pax flags during install [00:26:44] <blueness|chromeb> i wrote a wrapper for install so whenever you do emake install ... it runs the wrapper [00:26:55] <blueness|chromeb> and the wrapper preserves only usr.pax.flags [00:27:10] <blueness|chromeb> this will be out with 2.1.12.9 [00:27:10] <SwifT> love it [00:27:16] <Zorry> :) [00:27:26] <blueness|chromeb> swc|666, we can add more if need be later [00:27:31] <pipacs> blueness, also check today's mail on g-h ;) [00:27:34] <blueness|chromeb> so now we have end-to-end pax flags [00:27:55] <blueness|chromeb> pipacs, okay i will later, can you give me the gist of what it says? [00:28:11] <pipacs> just the long ago promised reporting of mismatched process/lib flags [00:28:20] <blueness|chromeb> ah great! [00:28:47] <blueness|chromeb> so i can write some utility to read dmesg and report and/or act [00:29:05] <blueness|chromeb> okay that's about it for grsec/pax [00:29:19] <SwifT> if you're burned out, I recommend photography or reading SCP wiki :p [00:29:26] <SwifT> always help here [00:29:31] <Zorry> 4.1 Kernel stablization [00:29:41] <Zorry> prometheanfire: ^^ [00:29:41] <blueness|chromeb> SwifT, yeah i literally have to not sit in front of a computer for a while! [00:29:43] <prometheanfire> dpm [00:29:48] <prometheanfire> bah [00:30:14] <prometheanfire> don't know if there is much we need to do about it, just wanted to bring up vanilla's new stablization policy [00:30:34] <prometheanfire> that is, that they don't ever stablize vanilla-sources [00:30:51] <blueness|chromeb> yeah this is important [00:30:58] <prometheanfire> the reasoning being the load placed on arch testers [00:31:20] <prometheanfire> personally I'd rather go the route for a lower bar for these packages [00:32:00] <blueness|chromeb> anyone following vanilla can't expect gentoo QA to have looked it over [00:32:08] <blueness|chromeb> it will literally have to trust upstream [00:32:21] <blueness|chromeb> so all vanilla-sources will be ~arch [00:32:26] <SwifT> I can follow it completely - maintaining gentoo-sources is most likely a huge effort already, and since they can't fix vanilla-sources without upstreaming it, there is little to do - either stabilize without testing, or don't stabilize. I can follow the "don't stabilize" reasoning [00:32:34] <blueness|chromeb> and they'll just add/remove the latest versions [00:32:50] <blueness|chromeb> SwifT, precisely [00:34:26] <Zorry> done? [00:34:33] <SwifT> blueness|chromeb: btw, once again, congrants on making it to the council [00:34:44] <blueness|chromeb> SwifT, thanks [00:34:47] <prometheanfire> yes master [00:34:49] <Zorry> blueness|chromeb: do you have uclibc stuff [00:34:58] <blueness|chromeb> and btw, its an arm chormebook running gentoo off of sd [00:35:05] <Zorry> blueness|chromeb: crongrats [00:35:08] <blueness|chromeb> Zorry, yes, just two fast points [00:35:20] <prometheanfire> only other thing to note is to be ready for twitch153's devship [00:35:28] <blueness|chromeb> 1) i'm going to do the uclibc stages every two months rather than every month [00:35:34] <blueness|chromeb> it was too much to do every month [00:35:46] <blueness|chromeb> and little benefit, so this releives some pressure on me [00:35:53] <prometheanfire> blueness|chromeb: gonna make a chromebook image? [00:36:00] <blueness|chromeb> the only exception will be amd64 and x86 which are totally automated [00:36:23] <blueness|chromeb> 2) gcc-4.8.1 works perfectly on mips, i may have reported that last time [00:36:46] <blueness|chromeb> oh and 3) of course i'm still maintaining the amd64 uclibc desktop, that's 100% automated too [00:36:59] <blueness|chromeb> prometheanfire, i could do lilblue on arm [00:37:22] <blueness|chromeb> but i wish others would just unashamedly steel my scripts and to it for me :) [00:37:30] <prometheanfire> what is lilblue anyway? [00:37:31] <blueness|chromeb> okay done here [00:37:59] <Zorry> any thing else? [00:38:00] <blueness|chromeb> lilblue = amd64 hardened uclibc xfce4 desktop. i just felt i ought to name it something and get kudos on freecode.com [00:38:04] <blueness|chromeb> so i needed a name [00:38:06] <prometheanfire> ah [00:38:06] <blueness|chromeb> i'm done [00:38:11] <prometheanfire> done [00:39:06] <blueness|chromeb> http://www.gentoo.org/proj/en/hardened/uclibc/lilblue.xml [00:39:08] <blueness|chromeb> oh wait! [00:39:13] <blueness|chromeb> i have one more thing under toolchain [00:39:25] <prometheanfire> :D [00:39:26] <blueness|chromeb> i'm like 95% done with a stage3 amd64 built using musl [00:39:34] <blueness|chromeb> musl is yet another libc [00:39:43] <blueness|chromeb> but to be honest, i'm not sure about that one [00:39:57] <blueness|chromeb> its quite different even tough i have some support in the tree [00:40:07] <blueness|chromeb> okay *now* i'm done [00:40:16] <blueness|chromeb> ^^^ see why i burn out! ^^^ [00:40:31] <Zorry> okay any thing else or else the meeting is done
