Mailing List Archive

Don't kill hardened yet - Porting the patch forward is complete
Hello Everyone,
I just heard that gentoo-hardened will be scrapped by end-of-month.
Well, I have some good news - it doesn't have to be. A project has risen
up to continue supporting the patch on future kernels and I have been
running it successfully for over a month with the stock hardened
profile.

You can download the patches here, they are also GPG signed:
https://github.com/minipli/linux-unofficial_grsec/releases

So-called "linux-hardened project (KSPP)" and "SELinux" do not even
slightly compare at their current stage of development in terms of
kernel hardening and PaX protection. In the mid-term, I would recommend
using these forward patches for hardened-LTS 4.9.x and hope
Gentoo-hardened will continue for awhile longer while we wait for
further improvements.

Thank you for your time and concern.
Re: Don't kill hardened yet - Porting the patch forward is complete [ In reply to ]
After re-reading the official announcement, rather than the one I saw on
a tech news website, it appears only hardened-sources are being pulled
rather than the whole project. That is good news. For a moment I thought
all the PaX files were being removed, which would be a major blow to
security for those who need it.

Per announcement:
> Also, all PaX related packages, except
sys-kernel/hardened-sources, will remain available for the time being.
https://www.gentoo.org/support/news-items/2017-08-19-hardened-sources-removal.html

I guess I can live with an overlay for now, although
unofficial-hardened-sources would make a nice addition to the entire
project, they are very stable for me. Thank you again and keep up the
good work.

On 2017-08-23 10:10, bob@cadamail.com wrote:
> Hello Everyone,
> I just heard that gentoo-hardened will be scrapped by end-of-month.
> Well, I have some good news - it doesn't have to be. A project has
> risen up to continue supporting the patch on future kernels and I have
> been running it successfully for over a month with the stock hardened
> profile.
>
> You can download the patches here, they are also GPG signed:
> https://github.com/minipli/linux-unofficial_grsec/releases
>
> So-called "linux-hardened project (KSPP)" and "SELinux" do not even
> slightly compare at their current stage of development in terms of
> kernel hardening and PaX protection. In the mid-term, I would
> recommend using these forward patches for hardened-LTS 4.9.x and hope
> Gentoo-hardened will continue for awhile longer while we wait for
> further improvements.
>
> Thank you for your time and concern.
Re: Don't kill hardened yet - Porting the patch forward is complete [ In reply to ]
Have we thought about paying spender to give us patches? We could agree to
a license that requires it to be on Gentoo....just a thought

On Aug 23, 2017 11:20 AM, <bob@cadamail.com> wrote:

> After re-reading the official announcement, rather than the one I saw on a
> tech news website, it appears only hardened-sources are being pulled rather
> than the whole project. That is good news. For a moment I thought all the
> PaX files were being removed, which would be a major blow to security for
> those who need it.
>
> Per announcement:
>
>> Also, all PaX related packages, except
>>
> sys-kernel/hardened-sources, will remain available for the time being.
> https://www.gentoo.org/support/news-items/2017-08-19-hardene
> d-sources-removal.html
>
> I guess I can live with an overlay for now, although
> unofficial-hardened-sources would make a nice addition to the entire
> project, they are very stable for me. Thank you again and keep up the good
> work.
>
> On 2017-08-23 10:10, bob@cadamail.com wrote:
>
>> Hello Everyone,
>> I just heard that gentoo-hardened will be scrapped by end-of-month.
>> Well, I have some good news - it doesn't have to be. A project has
>> risen up to continue supporting the patch on future kernels and I have
>> been running it successfully for over a month with the stock hardened
>> profile.
>>
>> You can download the patches here, they are also GPG signed:
>> https://github.com/minipli/linux-unofficial_grsec/releases
>>
>> So-called "linux-hardened project (KSPP)" and "SELinux" do not even
>> slightly compare at their current stage of development in terms of
>> kernel hardening and PaX protection. In the mid-term, I would
>> recommend using these forward patches for hardened-LTS 4.9.x and hope
>> Gentoo-hardened will continue for awhile longer while we wait for
>> further improvements.
>>
>> Thank you for your time and concern.
>>
>
>
Re: Don't kill hardened yet - Porting the patch forward is complete [ In reply to ]
On Wed, 23 Aug 2017 12:13:31 -0500
Parker Schmitt <pjschmittgentoo@gmail.com> wrote:

> Have we thought about paying spender to give us patches? We could
> agree to a license that requires it to be on Gentoo....just a thought

Yeah, that won't work. spender and PaX team have made the experience
that if they publish their code under whatever license, some tech
companies will come along and use the code without giving a shit about
said license. That's one of the reasons why the 'stable' grsec patch
series, as well as their git repository, hadn't been public for quite a
while even before they made the decision to stop publishing code
altogether.

@Bob: The Gentoo Hardened project is aware of minipli's efforts, but it
has been decided not to make his tree available as an ebuild
in ::gentoo for now.

Since all a kernel ebuild does is to dump the sources in /usr/src, it
doesn't make much of a difference anyway, but if someone wants to
create an ebuild in their overlay, they're of course welcome to do so.

Regards,
Luis
Re: Don't kill hardened yet - Porting the patch forward is complete [ In reply to ]
Am 23.08.2017 20:58 schrieb Luis Ressel:
> Since all a kernel ebuild does is to dump the sources in /usr/src, it
> doesn't make much of a difference anyway, but if someone wants to
> create an ebuild in their overlay, they're of course welcome to do so.

It was included in the pentoo overlay two days ago:
https://github.com/pentoo/pentoo-overlay/tree/master/sys-kernel/minipli-sources

Regards,
Philipp