Mailing List Archive

About sys-kernel/hardened-sources removal
Hi!

The gentoo-dev list is not the right place to keep up discussion on why
or how the hardened-sources will be removed. Not this thread which is
about the news item.

Most packages just get masked and removed in 30 days for example without
sending a news item just an e-mail to gentoo-dev-announce. The only
reason why we are sending it is because most Gentoo Hardened users were
using the hardened-sources and deserve a heads-up as to what will happen
to them and what can they do after (as there will be no clear and simple
upgrade path with similar features).

Please do send further answers to gentoo-hardened which is the porject's
mailing list.

El 18/08/17 a las 02:59, R0b0t1 escribió:
> On Tue, Aug 15, 2017 at 3:03 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> El 15/08/17 a las 17:50, R0b0t1 escribió:
>>> Where was this decision discussed?
>> https://archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff
>>
>> And many other threads in that list for example, those are just blueness
>> (the package maintainer) conclussions.
>>> The last available kernel is
>>> apparently receiving long term support, there may not be any reason to
>>> remove it.
>> Not by the original upstream, and definitively not in the way in which
>> Grsec used to (manually cherrypicking security related commits and not
>> just those marked as security related).
>>
> All blueness says in that is that he can't personally support the
> patches. That's fine, and nobody that I know of ever expected him to
> do that. However, until they are unfixably broken, why remove them?
> Keeping them until a suitable replacement is available seems like the
> best option available.
> There's no criteria in that notice for when they would be removed.
> What criteria was used to decide they are generating useless work and
> should be removed?
They are already unfixably broken. They are affected by stack clash
(when using certain obscure configs but nonetheless). They are to all
effects unmaintained (as in upstream not publishing patches we can
provide to you). And I'd rather not look at what other fixes came in the
4.9 tree since then that I have missed.
>> Although minipli's kernel patches are good and I personally recommend
>> them, this is not something the Gentoo Hardened team will do. Also they
>> probably should be renamed something else.
> I'm not sure anyone is asking the hardened team to do anything, except
> for people on the hardened team who want to remove the patches.
Then please address blueness about this (on the aforementioned thread)
and not me. I'm just the messenger who was asked to deliver the news.
>>> If it isn't broken and creating work yet I'm not sure why
>>> anyone cares.
>> Go to #gentoo-hardened and see how there is people asking about this
>> again and again :P
>>
> I'm not sure what you mean. There are people asking about it, but that
> doesn't necessarily mean they want it to happen. If something is done
> people are going to discuss it regardless of what it is.
I mean people is asking "what happens with the hardened-sources?" and we
having to answer. Now at least we have a clear path of action announced.
> Please understand, I don't want to keep an old version of the kernel
> and associated patches around forever, just until a replacement is
> actually found.
There are a few replacements, we aren't just providing an ebuild in the
portage tree for them (except for gentoo-sources, of course).

If you want to keep the ebuilds and patches I recommend you set up a
personal overlay instead.
Re: About sys-kernel/hardened-sources removal [ In reply to ]
Hello again,

That you split this off caused me to miss your message.

On Sat, Aug 19, 2017 at 5:54 AM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> Hi!
>
> The gentoo-dev list is not the right place to keep up discussion on why
> or how the hardened-sources will be removed. Not this thread which is
> about the news item.
>

Discussing the validity of the news item seems topical.

> Most packages just get masked and removed in 30 days for example without
> sending a news item just an e-mail to gentoo-dev-announce. The only
> reason why we are sending it is because most Gentoo Hardened users were
> using the hardened-sources and deserve a heads-up as to what will happen
> to them and what can they do after (as there will be no clear and simple
> upgrade path with similar features).
>
> Please do send further answers to gentoo-hardened which is the porject's
> mailing list.
>

At this point I am following up here because the issue is time sensitive.

> El 18/08/17 a las 02:59, R0b0t1 escribió:
>> On Tue, Aug 15, 2017 at 3:03 PM, Francisco Blas Izquierdo Riera
>> (klondike) <klondike@gentoo.org> wrote:
>>> El 15/08/17 a las 17:50, R0b0t1 escribió:
>>>> Where was this decision discussed?
>>> https://archives.gentoo.org/gentoo-hardened/message/62ebc2e26d91e8f079197c2c83788cff
>>>
>>> And many other threads in that list for example, those are just blueness
>>> (the package maintainer) conclussions.
>>>> The last available kernel is
>>>> apparently receiving long term support, there may not be any reason to
>>>> remove it.
>>> Not by the original upstream, and definitively not in the way in which
>>> Grsec used to (manually cherrypicking security related commits and not
>>> just those marked as security related).
>>>
>> All blueness says in that is that he can't personally support the
>> patches. That's fine, and nobody that I know of ever expected him to
>> do that. However, until they are unfixably broken, why remove them?
>> Keeping them until a suitable replacement is available seems like the
>> best option available.
>> There's no criteria in that notice for when they would be removed.
>> What criteria was used to decide they are generating useless work and
>> should be removed?
> They are already unfixably broken. They are affected by stack clash
> (when using certain obscure configs but nonetheless). They are to all
> effects unmaintained (as in upstream not publishing patches we can
> provide to you). And I'd rather not look at what other fixes came in the
> 4.9 tree since then that I have missed.

They are not unfixably broken for most users. I have no doubt that
there are stable packages in existence with bugs open against them.
Likewise there are no doubt unmaintained packages in existence.

>>> Although minipli's kernel patches are good and I personally recommend
>>> them, this is not something the Gentoo Hardened team will do. Also they
>>> probably should be renamed something else.
>> I'm not sure anyone is asking the hardened team to do anything, except
>> for people on the hardened team who want to remove the patches.
> Then please address blueness about this (on the aforementioned thread)
> and not me. I'm just the messenger who was asked to deliver the news.

I suppose I will rejoin the hardened mailing list. However, all I was
doing was asking you for explanations. I feel you should be able to
address my concerns as if you can't explain why you are doing what you
are doing, then why are you doing it?

>>>> If it isn't broken and creating work yet I'm not sure why
>>>> anyone cares.
>>> Go to #gentoo-hardened and see how there is people asking about this
>>> again and again :P
>>>
>> I'm not sure what you mean. There are people asking about it, but that
>> doesn't necessarily mean they want it to happen. If something is done
>> people are going to discuss it regardless of what it is.
> I mean people is asking "what happens with the hardened-sources?" and we
> having to answer. Now at least we have a clear path of action announced.

Keeping the sources in the tree seems to be an equally valid cause of action.

>> Please understand, I don't want to keep an old version of the kernel
>> and associated patches around forever, just until a replacement is
>> actually found.
> There are a few replacements, we aren't just providing an ebuild in the
> portage tree for them (except for gentoo-sources, of course).
>
> If you want to keep the ebuilds and patches I recommend you set up a
> personal overlay instead.
>

If there aren't Gentoo-maintained ebuilds for them, then they are not
really an option of the same caliber.

R0b0t1.