Mailing List Archive

On 2015-09-02 12:13, Anthony G. Basile wrote:
> Hi everyone,
>
> So by now most people have heard the news that the Grsecurity/PaX team
> are no longer going to be making their stable patches available. The
> reason is that they are in dispute with a certain embedded systems
> vendor and those negotiations broke down. So they decided to make their
> stable patches only available to the sponsors. [1]
>
> What does this mean for Gentoo? Up until now I have been maintaining
> both the grsec upstream stable and testing patchsets in our
> hardened-sources. Currently the upstream stable kernels are 3.2.71 and
> 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and
> 3.14.51 patchsets will no longer be available and I'll continue pushing
> out the 4.1.6. Unfortunately the testing patchset is precisely as the
> name suggests --- for testing and not production. For the embedded
> systems company this will be the kiss of death because those patches are
> not suitable for long term. For Gentoo it will mean that I will have to
> be more vigilant about bugs and trying to stick with a well known kernel
> before moving on. You can still use these kernels in production, but
> you must be carefull about instabilities as upstream pushes out
> experimental feature that may oops or panic. Keep older kernel images
> around and revert if it doesn't work. Look to this list for
> announcements about more serious issues like things that can cause data
> loss.

This would be a pretty good news item. Are you going to make it one?

El 02/09/15 a las 18:13, Anthony G. Basile escribió:
> Hi everyone,
>
> So by now most people have heard the news that the Grsecurity/PaX team
> are no longer going to be making their stable patches available. The
> reason is that they are in dispute with a certain embedded systems
> vendor and those negotiations broke down. So they decided to make
> their stable patches only available to the sponsors. [1]
>
> What does this mean for Gentoo? Up until now I have been maintaining
> both the grsec upstream stable and testing patchsets in our
> hardened-sources. Currently the upstream stable kernels are 3.2.71
> and 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71
> and 3.14.51 patchsets will no longer be available and I'll continue
> pushing out the 4.1.6. Unfortunately the testing patchset is
> precisely as the name suggests --- for testing and not production.
> For the embedded systems company this will be the kiss of death
> because those patches are not suitable for long term. For Gentoo it
> will mean that I will have to be more vigilant about bugs and trying
> to stick with a well known kernel before moving on. You can still use
> these kernels in production, but you must be carefull about
> instabilities as upstream pushes out experimental feature that may
> oops or panic. Keep older kernel images around and revert if it
> doesn't work. Look to this list for announcements about more serious
> issues like things that can cause data loss.
>
> I'm hoping that once this company feels the sting of what has just
> happened, they'll come back to the table and talk with Grsec/PaX people.
> They won't be able to ship boards with grsec anymore because its not
> so easy to switch out a kernel on a board! If they ship a board with
> a bug, they loose. We just reboot :)
>
> [1] https://grsecurity.net/
>
Only thing to add here is that spender expects the unstable kernels to
become more stable in the medium term because of this.

* Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr:
> Hi everyone,
>
> So by now most people have heard the news that the Grsecurity/PaX team
> are no longer going to be making their stable patches available. The
> reason is that they are in dispute with a certain embedded systems
> vendor and those negotiations broke down. So they decided to make their
> stable patches only available to the sponsors. [1]
>
> What does this mean for Gentoo? Up until now I have been maintaining
> both the grsec upstream stable and testing patchsets in our
> hardened-sources. Currently the upstream stable kernels are 3.2.71 and
> 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and
> 3.14.51 patchsets will no longer be available and I'll continue pushing
> out the 4.1.6. Unfortunately the testing patchset is precisely as the
> name suggests --- for testing and not production. For the embedded
> systems company this will be the kiss of death because those patches are
> not suitable for long term. For Gentoo it will mean that I will have to
> be more vigilant about bugs and trying to stick with a well known kernel
> before moving on. You can still use these kernels in production, but
> you must be carefull about instabilities as upstream pushes out
> experimental feature that may oops or panic. Keep older kernel images
> around and revert if it doesn't work. Look to this list for
> announcements about more serious issues like things that can cause data
> loss.
>
> I'm hoping that once this company feels the sting of what has just
> happened, they'll come back to the table and talk with Grsec/PaX people.
> They won't be able to ship boards with grsec anymore because its not so
> easy to switch out a kernel on a board! If they ship a board with a
> bug, they loose. We just reboot :)
>
> [1] https://grsecurity.net/

Can't Gentoo be a sponsor? I think we could easly croudfund a
sponsorship.

This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just
use the gentoo kernel if they not already did so.

Thoughts?

--
0x35A64134 - 8AAC 5F46 83B4 DB70 8317
3723 296C 6CCA 35A6 4134

On 09/03/2015 02:28 PM, Marc Schiffbauer wrote:
> * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr:
>> Hi everyone,
>>
>> So by now most people have heard the news that the Grsecurity/PaX team
>> are no longer going to be making their stable patches available. The
>> reason is that they are in dispute with a certain embedded systems
>> vendor and those negotiations broke down. So they decided to make their
>> stable patches only available to the sponsors. [1]
>>
>> What does this mean for Gentoo? Up until now I have been maintaining
>> both the grsec upstream stable and testing patchsets in our
>> hardened-sources. Currently the upstream stable kernels are 3.2.71 and
>> 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and
>> 3.14.51 patchsets will no longer be available and I'll continue pushing
>> out the 4.1.6. Unfortunately the testing patchset is precisely as the
>> name suggests --- for testing and not production. For the embedded
>> systems company this will be the kiss of death because those patches are
>> not suitable for long term. For Gentoo it will mean that I will have to
>> be more vigilant about bugs and trying to stick with a well known kernel
>> before moving on. You can still use these kernels in production, but
>> you must be carefull about instabilities as upstream pushes out
>> experimental feature that may oops or panic. Keep older kernel images
>> around and revert if it doesn't work. Look to this list for
>> announcements about more serious issues like things that can cause data
>> loss.
>>
>> I'm hoping that once this company feels the sting of what has just
>> happened, they'll come back to the table and talk with Grsec/PaX people.
>> They won't be able to ship boards with grsec anymore because its not so
>> easy to switch out a kernel on a board! If they ship a board with a
>> bug, they loose. We just reboot :)
>>
>> [1] https://grsecurity.net/
>
> Can't Gentoo be a sponsor? I think we could easly croudfund a
> sponsorship.
>
> This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just
> use the gentoo kernel if they not already did so.
>
> Thoughts?
>
We can't do that because it would make the LTS patches public, which
spender is trying to avoid.

--
-- Matthew Thode (prometheanfire)

* Matthew Thode schrieb am 03.09.15 um 21:46 Uhr:
> On 09/03/2015 02:28 PM, Marc Schiffbauer wrote:
> > * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr:
> >> Hi everyone,
> >>
> >> So by now most people have heard the news that the Grsecurity/PaX team
> >> are no longer going to be making their stable patches available. The
> >> reason is that they are in dispute with a certain embedded systems
> >> vendor and those negotiations broke down. So they decided to make their
> >> stable patches only available to the sponsors. [1]
> >>
> >> What does this mean for Gentoo? Up until now I have been maintaining
> >> both the grsec upstream stable and testing patchsets in our
> >> hardened-sources. Currently the upstream stable kernels are 3.2.71 and
> >> 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and
> >> 3.14.51 patchsets will no longer be available and I'll continue pushing
> >> out the 4.1.6. Unfortunately the testing patchset is precisely as the
> >> name suggests --- for testing and not production. For the embedded
> >> systems company this will be the kiss of death because those patches are
> >> not suitable for long term. For Gentoo it will mean that I will have to
> >> be more vigilant about bugs and trying to stick with a well known kernel
> >> before moving on. You can still use these kernels in production, but
> >> you must be carefull about instabilities as upstream pushes out
> >> experimental feature that may oops or panic. Keep older kernel images
> >> around and revert if it doesn't work. Look to this list for
> >> announcements about more serious issues like things that can cause data
> >> loss.
> >>
> >> I'm hoping that once this company feels the sting of what has just
> >> happened, they'll come back to the table and talk with Grsec/PaX people.
> >> They won't be able to ship boards with grsec anymore because its not so
> >> easy to switch out a kernel on a board! If they ship a board with a
> >> bug, they loose. We just reboot :)
> >>
> >> [1] https://grsecurity.net/
> >
> > Can't Gentoo be a sponsor? I think we could easly croudfund a
> > sponsorship.
> >
> > This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just
> > use the gentoo kernel if they not already did so.
> >
> > Thoughts?
> >
> We can't do that because it would make the LTS patches public, which
> spender is trying to avoid.

True and what I wanted to say with the OTOH part. But doesn't this apply
to any sponsor? I mean we are talking about GPL'ed Software... does the
GPL permit to distribute source under some kind of NDA?

I fully respect their decision but I hope things will be back to normal
again soon.

-Marc

>



--
0x35A64134 - 8AAC 5F46 83B4 DB70 8317
3723 296C 6CCA 35A6 4134

Am 03.09.2015 23:08 schrieb Marc Schiffbauer:
> * Matthew Thode schrieb am 03.09.15 um 21:46 Uhr:
>> On 09/03/2015 02:28 PM, Marc Schiffbauer wrote:
>> > * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr:
>> >> Hi everyone,
>> >>
>> >> So by now most people have heard the news that the Grsecurity/PaX team
>> >> are no longer going to be making their stable patches available. The
>> >> reason is that they are in dispute with a certain embedded systems
>> >> vendor and those negotiations broke down. So they decided to make their
>> >> stable patches only available to the sponsors. [1]
>> >>
>> >> What does this mean for Gentoo? Up until now I have been maintaining
>> >> both the grsec upstream stable and testing patchsets in our
>> >> hardened-sources. Currently the upstream stable kernels are 3.2.71 and
>> >> 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and
>> >> 3.14.51 patchsets will no longer be available and I'll continue pushing
>> >> out the 4.1.6. Unfortunately the testing patchset is precisely as the
>> >> name suggests --- for testing and not production. For the embedded
>> >> systems company this will be the kiss of death because those patches are
>> >> not suitable for long term. For Gentoo it will mean that I will have to
>> >> be more vigilant about bugs and trying to stick with a well known kernel
>> >> before moving on. You can still use these kernels in production, but
>> >> you must be carefull about instabilities as upstream pushes out
>> >> experimental feature that may oops or panic. Keep older kernel images
>> >> around and revert if it doesn't work. Look to this list for
>> >> announcements about more serious issues like things that can cause data
>> >> loss.
>> >>
>> >> I'm hoping that once this company feels the sting of what has just
>> >> happened, they'll come back to the table and talk with Grsec/PaX people.
>> >> They won't be able to ship boards with grsec anymore because its not so
>> >> easy to switch out a kernel on a board! If they ship a board with a
>> >> bug, they loose. We just reboot :)
>> >>
>> >> [1] https://grsecurity.net/
>> >
>> > Can't Gentoo be a sponsor? I think we could easly croudfund a
>> > sponsorship.
>> >
>> > This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just
>> > use the gentoo kernel if they not already did so.
>> >
>> > Thoughts?
>> >
>> We can't do that because it would make the LTS patches public, which
>> spender is trying to avoid.
>
> True and what I wanted to say with the OTOH part. But doesn't this
> apply
> to any sponsor? I mean we are talking about GPL'ed Software... does the
> GPL permit to distribute source under some kind of NDA?
>
> I fully respect their decision but I hope things will be back to normal
> again soon.
>

No you can't override the GPL with an NDA. But a sponsor - who is
selling products based on grsecurity - is not required to make the code
available to the general public, only to the customer who pays for the
product. They're also not required to make their /patches/ available,
only the complete source. So even if you get the sources from a customer
(or you buy the product yourself), you would have to diff the code
against a vanilla kernel - and then you only get a huge patch that
includes *all* changes. Extracting just the grsecurity patch from that
is complicated and error prone. You'll probably run into less bugs if
you just stick to the public testing patches.

Philipp

* philipp.ammann@posteo.de schrieb am 04.09.15 um 13:33 Uhr:
> Am 03.09.2015 23:08 schrieb Marc Schiffbauer:
> > True and what I wanted to say with the OTOH part. But doesn't this
> > apply
> > to any sponsor? I mean we are talking about GPL'ed Software... does the
> > GPL permit to distribute source under some kind of NDA?
> >
> > I fully respect their decision but I hope things will be back to normal
> > again soon.
> >
>
> No you can't override the GPL with an NDA. But a sponsor - who is
> selling products based on grsecurity - is not required to make the code
> available to the general public, only to the customer who pays for the
> product. They're also not required to make their /patches/ available,
> only the complete source. So even if you get the sources from a customer
> (or you buy the product yourself), you would have to diff the code
> against a vanilla kernel - and then you only get a huge patch that
> includes *all* changes. Extracting just the grsecurity patch from that
> is complicated and error prone. You'll probably run into less bugs if
> you just stick to the public testing patches.

Yes, but the point I was trying to make is: Such a customer can make the
sources available to the public. I am NOT saying we should do this but
in theory it would be possible.
Lets see what the future brings. This is going to be too OT ;)

-Marc

--
0x35A64134 - 8AAC 5F46 83B4 DB70 8317
3723 296C 6CCA 35A6 4134

On 4 Sep 2015 13:38, "Marc Schiffbauer" <mschiff@gentoo.org> wrote:
> Yes, but the point I was trying to make is: Such a customer can make the
> sources available to the public.

The software industry is full of hypocrisies like this. Yes it is true that
a company cannot legally stop a customer from releasing GPLed code; in
reality they just use other threats to get what they want. For example, if
you release code today, we will not give you the update tomorrow, or if you
have a problem we don't answer the phone or you want to renew your contract
next year? Sorry it costs 2x now. Etc.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/09/15 14:37, Marc Schiffbauer wrote:
> * philipp.ammann@posteo.de schrieb am 04.09.15 um 13:33 Uhr:
>> Am 03.09.2015 23:08 schrieb Marc Schiffbauer:
>>> True and what I wanted to say with the OTOH part. But doesn't
>>> this apply to any sponsor? I mean we are talking about GPL'ed
>>> Software... does the GPL permit to distribute source under some
>>> kind of NDA?
>>>
>>> I fully respect their decision but I hope things will be back
>>> to normal again soon.
>>>
>>
>> No you can't override the GPL with an NDA. But a sponsor - who is
>> selling products based on grsecurity - is not required to make
>> the code available to the general public, only to the customer
>> who pays for the product. They're also not required to make their
>> /patches/ available, only the complete source. So even if you get
>> the sources from a customer (or you buy the product yourself),
>> you would have to diff the code against a vanilla kernel - and
>> then you only get a huge patch that includes *all* changes.
>> Extracting just the grsecurity patch from that is complicated and
>> error prone. You'll probably run into less bugs if you just stick
>> to the public testing patches.
>
> Yes, but the point I was trying to make is: Such a customer can
> make the sources available to the public. I am NOT saying we should
> do this but in theory it would be possible. Lets see what the
> future brings. This is going to be too OT ;)
>
> -Marc
>

I tried to fix a PaX patch time ago, After the attempt I think my
"patch" started to make coffee instead of working as a truth patch.

Yeah! You could try to do that and may be you would create a new AI
life form in the process accidentally.

Taint Grsec-PaX patches is hard, and if you don't know what are you
doing it's something like a terrible teethache.

I think that with distribution if grsec is considered a derivative
work of a linux kernel the sponsor must make available the source code
to the public, I don't think patch available, just source code. The
question I think is that if they try to fork grsec, the effort to make
a good grsec patch from sources and vanilla kernel and maintain it in
a good state at same level as Brad and Pipacs do is feasible for all
of them in time, in quality and economicaly. I don't think so.

Apple Apple said:
>
> The software industry is full of hypocrisies like this. Yes it is
> true that a company cannot legally stop a customer from releasing
> GPLed code; in reality they just use other threats to get what they
> want. For example, if you release code today, we will not give you
> the update tomorrow, or if you have a problem we don't answer the
> phone or you want to renew your contract next year? Sorry it costs
> 2x now. Etc.
>

IMO Free as in Freedom not price, Welcome to services business model.
Brad needs to live too ¿don't you think? If they want that Brad
supports the source code (I don't know the case in question) that they
will use freely to his business it's logic that Brad wants a fee by
his time. At least I think so. Isn't it?

GPL don't forbid modify the source code if they want to do what Brad
does... if they have the knowledge, the time and all the coffee
needed, and GPL neither makes the maintainers slaves :).



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV6gvkAAoJEFfmTgt/w77fk2IP/0fjFoi/BTM5ZipIaAIcSZon
49JQMOcEwCRX29I/ftsJig57tGBTaCcfyITwHI84p8K2FB+NalX79NReKSKsMtyC
OiU8YQOhNAaufqF0byKQi5L2AGEvpDq1lYaBW4cyiVOKQhs+d09GIl3CrEQ/mD2W
5bLRjw5Olqx3uHL0en8y1WY1jB7Ws18amE8qCjPcgm3IVJqMn1oFEO2nR7+KOP98
Pbsqb6lQpVlgx0HZaAXG1cI5Pi7p3hgtRe8bXY0c8IE12HEcixWNj+2uzCP7POR/
RexzPl1uzNxcUHUmDx8DRIm0ikLpPo3HWtosJVbKf2+z/Tu5mK5CXnmHK/gGFP/P
OSONkYPCW8aYYHUG3Bpv1DecYGqpQ+S7M2TVkwlCHH6t9ntMqY/3Sj8PsWZxXjhE
B+vXNuH+QS6o/+pCvYusIgWgBY7H1azyHnfsdSXC74YmwvSs8rk0QnmwLXPyVTSH
AX5bol01gepGvKh5+sp0BQk/gMOwwlObkPrt3pc/tSG6PCUxNEfE2NyheJOmGnOT
+Hr+EVF0J/1h3f8hF5B6PnTfGHq1nGRTxGt1Mt+KHwjrtgunt0Yszrx1KMsjEVji
o4iqtl1vc+CpMjutenuXhHUh5GGtkMnbR0PzvZqweoqniROTbtBRVZiwV/D+sJKY
+teQQWrSxnBUvVzZa4Bb
=mdxR
-----END PGP SIGNATURE-----

* Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr:
> Hi everyone,
>
> So by now most people have heard the news that the Grsecurity/PaX team
> are no longer going to be making their stable patches available. The
> reason is that they are in dispute with a certain embedded systems
> vendor and those negotiations broke down. So they decided to make their
> stable patches only available to the sponsors. [1]
>
> What does this mean for Gentoo?
[...]

Anthony,

patches are available until 9th. Could you leave the latest 3.14
version in tree? Or do you plan to unpublish them in the tree, too?
Would spender or pipacs want or welcome that we do this?

TIA
-Marc

--
0x35A64134 - 8AAC 5F46 83B4 DB70 8317
3723 296C 6CCA 35A6 4134

On 9/5/15 5:44 AM, Marc Schiffbauer wrote:
> * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr:
>> Hi everyone,
>>
>> So by now most people have heard the news that the Grsecurity/PaX team
>> are no longer going to be making their stable patches available. The
>> reason is that they are in dispute with a certain embedded systems
>> vendor and those negotiations broke down. So they decided to make their
>> stable patches only available to the sponsors. [1]
>>
>> What does this mean for Gentoo?
> [...]
>
> Anthony,
>
> patches are available until 9th. Could you leave the latest 3.14
> version in tree? Or do you plan to unpublish them in the tree, too?
> Would spender or pipacs want or welcome that we do this?
>
> TIA
> -Marc
>

I'm not sure yet how I will deprecate but I think I have to. Upstream
thinks I'm too slow at deprecating already. They push out daily patches
and we want to stabilize after a month. Try balance that out!

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

On Wednesday 02 September 2015 12:13:33 Anthony G. Basile wrote:

> I'm hoping that once this company feels the sting of what has just
> happened, they'll come back to the table and talk with Grsec/PaX people.
> They won't be able to ship boards with grsec anymore because its not so
> easy to switch out a kernel on a board! If they ship a board with a
> bug, they loose. We just reboot :)
>
> [1] https://grsecurity.net/

I accept their reasons for not listing the company/companies involved.
But I would like to know which companies are causing this, so I can avoid
supporting them.

--
Joost