Mail archive
alpine-devel

Re: [alpine-devel] grsec go or no-go call for 3.6

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Wed, 5 Apr 2017 22:07:43 +0200

On Sun, 2 Apr 2017 21:18:16 -0500
William Pitcock <nenolod_at_dereferenced.org> wrote:

> Hello,
>
> On Sun, Apr 2, 2017 at 2:54 PM, Francesco Colista
> <fcolista_at_alpinelinux.org> wrote:
> > Il 2017-04-02 00:39 William Pitcock ha scritto:
> >>
> >> Hello,
> >>
> >> It is getting to the point to decide whether we wish to continue
> >> including grsec kernel for 3.6.
> >> There are three options that I can see:
> >>
> >> 1. Ship grsec in Alpine 3.6 and see what happens. Revisit this issue
> >> in Alpine 3.7.
> >
> >
> > One of the paradigm of Alpine is "secure".
> > grsec contributed so far in making Alpine "secure".
>
> How has grsec improved the security of aarch64, ppc64le or s390x?
> It has been previously proposed to remove grsec at the same time that
> we remove support for 32-bit x86, should that ever happen.
>
> > I would not make any important decision based on a "possibility", rahter on
> > official announcements.
>
> Unfortunately, we do need to make a decision.

I think we try keep grsecurity for v3.6.

> While it is true that upstream may ultimately decide to not withdraw
> the testing patches, it can very easily go the other way.
> Upstream's rationale for withdrawing the testing patches have to do
> with the KSPP project (which is basically incrementally reimplementing
> grsec in mainline), which has the possibility of negatively impacting
> revenue.

And KSPP is like a decade behind, they will have to negotiate the
features (vs speed for example) with the other developers, so they will
never reach the level of protection that Grsecurity provides.

> Of course, upstream is still invited to comment on whether or not he
> ultimately plans to withdraw the patches or not.

It may be that they will provide the testing patches every 2 years, (or
maybe even for every new LTS kernel). I hope they will realize that
killing the "community" and ecosystem around grsecurity will hurt their
customers and will give at least partial support for a non-official
port of grsecurity.

> William
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Wed Apr 05 2017 - 22:07:43 UTC