X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.190.25]) by lists.alpinelinux.org (Postfix) with ESMTP id 9BFCF5C4EDA for ; Thu, 6 Jul 2017 10:34:11 +0000 (GMT) Received: from mx1.tetrasec.net (mail.local [127.0.0.1]) by mx1.tetrasec.net (Postfix) with ESMTP id 185849E2481; Thu, 6 Jul 2017 10:34:11 +0000 (GMT) Received: from ncopa-desktop.copa.dup.pw (15.63.200.37.customer.cdi.no [37.200.63.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: n@tanael.org) by mx1.tetrasec.net (Postfix) with ESMTPSA id 3F7439E23E0; Thu, 6 Jul 2017 10:34:09 +0000 (GMT) Date: Thu, 6 Jul 2017 12:34:02 +0200 From: Natanael Copa To: =?ISO-8859-1?B?Q+Fn?= Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Linus & others v. grsecurity Message-ID: <20170706123402.7a5086d8@ncopa-desktop.copa.dup.pw> In-Reply-To: <20170702173750.GA1411@alpine> References: <20170702173750.GA1411@alpine> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Sun, 2 Jul 2017 18:37:50 +0100 C=E1g wrote: > Hi everyone, >=20 > I was reading news the other day and found this: > https://www.spinics.net/lists/kernel/msg2540934.html The reason Linus calls it garbage is because its not split up, so it cannot be included upstream: http://www.openwall.com/lists/oss-security/2017/06/24/14 Well, Linus also says he would prefer that Spender himself sent patches for inclusion: =20 http://www.openwall.com/lists/oss-security/2017/06/24/2 > In the comment section somebody linked this thread: > http://seclists.org/oss-sec/2017/q2/583 >=20 > Bruce Perens warns about risks for grsecurity customers: > http://perens.com/blog/2017/06/28/warning-grsecurity-potential-contributo= ry-infringement-risk-for-customers/ > Earlier RMS said about GPL violation. Yeah, what they do is controversial. We don't break the GPL though. > Then there was this thing: > https://twitter.com/marcan42/status/724745886794833920 > Looks like this person and some others that replied were banned by > grsecurity. They got banned from grsecurity twitter. After that grsecurity left twitter, so he is banned from something that no longer exists. > Considering the abovementioned, was it a good thing to start using > their patches? When we started using their patches for more than 10 years ago, yes, it was a good thing. They solved security issues back then that is not solved in mainline until now. (the issue at hand that made it to media was solved by Grsecurity around 2010-2011 something?) They were early (first?) with ASLR. We have always built our userspace with PIE, bindnow and relro so we can fully utilize it. So I would definitively say it was a good thing to start using their patches. > Is there a need in a hardened kernel overall? I think the link you provided answers that: > http://seclists.org/oss-sec/2017/q2/583 Grsecurity finds and fixes many issues in kernel that nobody else notices/cares about (until it hits media as in the recent case) So the question is: do we need to be ahead other distros when it comes to kernel security? But there are some reasons to why we we should stop using it: - It is not good to depend on something unreliable (we don't know if we can access future patches - there is no guarantee that they will give us access even if we pay them) - No support - It requires much work to maintain the unofficial patch - Their business model (Alpine is open source) - They are difficult to co-operate with I want continue using it for as long as it is possible. -nc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---