Mail archive
alpine-devel

Re: [alpine-devel] grsec go or no-go call for 3.6

From: Jens Staal <staal1978_at_gmail.com>
Date: Thu, 6 Apr 2017 06:02:06 +0200

Arch linux is using grsec on kernel 4.9.

https://www.archlinux.org/packages/community/i686/linux-grsec/

Perhaps it would be good to ask that maintainer what their plans are.
I did not find any new announcements on the grsec web page except the
announcement from 2015 where they explicitly say that they still want that
the patches are available for the hardened Arch and Gentoo projects.


Den 6 apr. 2017 00:07 skrev "Stuart Cardall" <developer_at_it-offshore.co.uk>:

If possible it would be good to keep grsecurity. It mitigates attacks on
php-fpm:

"bruteforce prevention initiated for the next 30 minutes or until service
restarted, stalling each fork 30 seconds."

Stuart.

On 04/05/2017 09:07 PM, Natanael Copa wrote:

On Sun, 2 Apr 2017 21:18:16 -0500
William Pitcock <nenolod_at_dereferenced.org> <nenolod_at_dereferenced.org> wrote:


Hello,

On Sun, Apr 2, 2017 at 2:54 PM, Francesco
Colista<fcolista_at_alpinelinux.org> <fcolista_at_alpinelinux.org> wrote:

Il 2017-04-02 00:39 William Pitcock ha scritto:

Hello,

It is getting to the point to decide whether we wish to continue
including grsec kernel for 3.6.
There are three options that I can see:

1. Ship grsec in Alpine 3.6 and see what happens. Revisit this issue
in Alpine 3.7.

One of the paradigm of Alpine is "secure".
grsec contributed so far in making Alpine "secure".

How has grsec improved the security of aarch64, ppc64le or s390x?
It has been previously proposed to remove grsec at the same time that
we remove support for 32-bit x86, should that ever happen.


I would not make any important decision based on a "possibility", rahter on
official announcements.

Unfortunately, we do need to make a decision.

I think we try keep grsecurity for v3.6.


While it is true that upstream may ultimately decide to not withdraw
the testing patches, it can very easily go the other way.
Upstream's rationale for withdrawing the testing patches have to do
with the KSPP project (which is basically incrementally reimplementing
grsec in mainline), which has the possibility of negatively impacting
revenue.

And KSPP is like a decade behind, they will have to negotiate the
features (vs speed for example) with the other developers, so they will
never reach the level of protection that Grsecurity provides.


Of course, upstream is still invited to comment on whether or not he
ultimately plans to withdraw the patches or not.

It may be that they will provide the testing patches every 2 years, (or
maybe even for every new LTS kernel). I hope they will realize that
killing the "community" and ecosystem around grsecurity will hurt their
customers and will give at least partial support for a non-official
port of grsecurity.


William


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Apr 06 2017 - 06:02:06 UTC