X-Original-To: alpine-devel@lists.alpinelinux.org Received: from newmail.tetrasec.net (unknown [172.21.74.12]) by lists.alpinelinux.org (Postfix) with ESMTP id E1E675C472E; Wed, 5 Apr 2017 20:07:47 +0000 (GMT) Received: from ncopa-desktop.copa.dup.pw (15.63.200.37.customer.cdi.no [37.200.63.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: n@tanael.org) by newmail.tetrasec.net (Postfix) with ESMTPSA id 36C915A07B7; Wed, 5 Apr 2017 20:07:47 +0000 (GMT) Date: Wed, 5 Apr 2017 22:07:43 +0200 From: Natanael Copa To: William Pitcock Cc: Francesco Colista , alpine-dev Subject: Re: [alpine-devel] grsec go or no-go call for 3.6 Message-ID: <20170405220743.0fb80170@ncopa-desktop.copa.dup.pw> In-Reply-To: References: <6cb1b9fe292e94575683ea97bafe2c61@alpinelinux.org> X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.28; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sun, 2 Apr 2017 21:18:16 -0500 William Pitcock wrote: > Hello, > > On Sun, Apr 2, 2017 at 2:54 PM, Francesco Colista > wrote: > > Il 2017-04-02 00:39 William Pitcock ha scritto: > >> > >> Hello, > >> > >> It is getting to the point to decide whether we wish to continue > >> including grsec kernel for 3.6. > >> There are three options that I can see: > >> > >> 1. Ship grsec in Alpine 3.6 and see what happens. Revisit this issue > >> in Alpine 3.7. > > > > > > One of the paradigm of Alpine is "secure". > > grsec contributed so far in making Alpine "secure". > > How has grsec improved the security of aarch64, ppc64le or s390x? > It has been previously proposed to remove grsec at the same time that > we remove support for 32-bit x86, should that ever happen. > > > I would not make any important decision based on a "possibility", rahter on > > official announcements. > > Unfortunately, we do need to make a decision. I think we try keep grsecurity for v3.6. > While it is true that upstream may ultimately decide to not withdraw > the testing patches, it can very easily go the other way. > Upstream's rationale for withdrawing the testing patches have to do > with the KSPP project (which is basically incrementally reimplementing > grsec in mainline), which has the possibility of negatively impacting > revenue. And KSPP is like a decade behind, they will have to negotiate the features (vs speed for example) with the other developers, so they will never reach the level of protection that Grsecurity provides. > Of course, upstream is still invited to comment on whether or not he > ultimately plans to withdraw the patches or not. It may be that they will provide the testing patches every 2 years, (or maybe even for every new LTS kernel). I hope they will realize that killing the "community" and ecosystem around grsecurity will hurt their customers and will give at least partial support for a non-official port of grsecurity. > William > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---