Mail archive
alpine-devel

Re: [alpine-devel] grsec go or no-go call for 3.6

From: Stuart Cardall <developer_at_it-offshore.co.uk>
Date: Wed, 5 Apr 2017 23:06:19 +0100

If possible it would be good to keep grsecurity. It mitigates attacks on
php-fpm:

"bruteforce prevention initiated for the next 30 minutes or until
service restarted, stalling each fork 30 seconds."

Stuart.


On 04/05/2017 09:07 PM, Natanael Copa wrote:
> On Sun, 2 Apr 2017 21:18:16 -0500
> William Pitcock <nenolod_at_dereferenced.org> wrote:
>
>> Hello,
>>
>> On Sun, Apr 2, 2017 at 2:54 PM, Francesco Colista
>> <fcolista_at_alpinelinux.org> wrote:
>>> Il 2017-04-02 00:39 William Pitcock ha scritto:
>>>> Hello,
>>>>
>>>> It is getting to the point to decide whether we wish to continue
>>>> including grsec kernel for 3.6.
>>>> There are three options that I can see:
>>>>
>>>> 1. Ship grsec in Alpine 3.6 and see what happens. Revisit this issue
>>>> in Alpine 3.7.
>>>
>>> One of the paradigm of Alpine is "secure".
>>> grsec contributed so far in making Alpine "secure".
>> How has grsec improved the security of aarch64, ppc64le or s390x?
>> It has been previously proposed to remove grsec at the same time that
>> we remove support for 32-bit x86, should that ever happen.
>>
>>> I would not make any important decision based on a "possibility", rahter on
>>> official announcements.
>> Unfortunately, we do need to make a decision.
> I think we try keep grsecurity for v3.6.
>
>> While it is true that upstream may ultimately decide to not withdraw
>> the testing patches, it can very easily go the other way.
>> Upstream's rationale for withdrawing the testing patches have to do
>> with the KSPP project (which is basically incrementally reimplementing
>> grsec in mainline), which has the possibility of negatively impacting
>> revenue.
> And KSPP is like a decade behind, they will have to negotiate the
> features (vs speed for example) with the other developers, so they will
> never reach the level of protection that Grsecurity provides.
>
>> Of course, upstream is still invited to comment on whether or not he
>> ultimately plans to withdraw the patches or not.
> It may be that they will provide the testing patches every 2 years, (or
> maybe even for every new LTS kernel). I hope they will realize that
> killing the "community" and ecosystem around grsecurity will hurt their
> customers and will give at least partial support for a non-official
> port of grsecurity.
>
>> William
>>
>>
>> ---
>> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
>> Help: alpine-devel+help_at_lists.alpinelinux.org
>> ---
>>
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>




---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Wed Apr 05 2017 - 23:06:19 GMT