For discussion of Alpine Linux development and developer support

2 2

Re: [alpine-devel] grsec go or no-go call for 3.6

William Pitcock
Details
Message ID
<CA+T2pCEdrM4iLKgA3phGLnpRA5Jo09nVEp5vsT6TKXPEgCOfdw@mail.gmail.com>
Sender timestamp
1491185896
DKIM signature
missing
Download raw message
Hello,

On Sun, Apr 2, 2017 at 2:54 PM, Francesco  Colista
<fcolista@alpinelinux.org> wrote:
> Il 2017-04-02 00:39 William Pitcock ha scritto:
>>
>> Hello,
>>
>> It is getting to the point to decide whether we wish to continue
>> including grsec kernel for 3.6.
>> There are three options that I can see:
>>
>> 1. Ship grsec in Alpine 3.6 and see what happens.  Revisit this issue
>> in Alpine 3.7.
>
>
> One of the paradigm of Alpine is "secure".
> grsec contributed so far in making Alpine "secure".

How has grsec improved the security of aarch64, ppc64le or s390x?
It has been previously proposed to remove grsec at the same time that
we remove support for 32-bit x86, should that ever happen.

> I would not make any important decision based on a "possibility", rahter on
> official announcements.

Unfortunately, we do need to make a decision.
While it is true that upstream may ultimately decide to not withdraw
the testing patches, it can very easily go the other way.
Upstream's rationale for withdrawing the testing patches have to do
with the KSPP project (which is basically incrementally reimplementing
grsec in mainline), which has the possibility of negatively impacting
revenue.
Of course, upstream is still invited to comment on whether or not he
ultimately plans to withdraw the patches or not.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] grsec go or no-go call for 3.6

Natanael Copa
Details
Message ID
<20170405220743.0fb80170@ncopa-desktop.copa.dup.pw>
In-Reply-To
<CA+T2pCEdrM4iLKgA3phGLnpRA5Jo09nVEp5vsT6TKXPEgCOfdw@mail.gmail.com> (view parent)
Sender timestamp
1491422863
DKIM signature
missing
Download raw message
On Sun, 2 Apr 2017 21:18:16 -0500
William Pitcock <nenolod@dereferenced.org> wrote:

> Hello,
> 
> On Sun, Apr 2, 2017 at 2:54 PM, Francesco  Colista
> <fcolista@alpinelinux.org> wrote:
> > Il 2017-04-02 00:39 William Pitcock ha scritto:  
> >>
> >> Hello,
> >>
> >> It is getting to the point to decide whether we wish to continue
> >> including grsec kernel for 3.6.
> >> There are three options that I can see:
> >>
> >> 1. Ship grsec in Alpine 3.6 and see what happens.  Revisit this issue
> >> in Alpine 3.7.  
> >
> >
> > One of the paradigm of Alpine is "secure".
> > grsec contributed so far in making Alpine "secure".  
> 
> How has grsec improved the security of aarch64, ppc64le or s390x?
> It has been previously proposed to remove grsec at the same time that
> we remove support for 32-bit x86, should that ever happen.
> 
> > I would not make any important decision based on a "possibility", rahter on
> > official announcements.  
> 
> Unfortunately, we do need to make a decision.

I think we try keep grsecurity for v3.6.

> While it is true that upstream may ultimately decide to not withdraw
> the testing patches, it can very easily go the other way.
> Upstream's rationale for withdrawing the testing patches have to do
> with the KSPP project (which is basically incrementally reimplementing
> grsec in mainline), which has the possibility of negatively impacting
> revenue.

And KSPP is like a decade behind, they will have to negotiate the
features (vs speed for example) with the other developers, so they will
never reach the level of protection that Grsecurity provides.

> Of course, upstream is still invited to comment on whether or not he
> ultimately plans to withdraw the patches or not.

It may be that they will provide the testing patches every 2 years, (or
maybe even for every new LTS kernel). I hope they will realize that
killing the "community" and ecosystem around grsecurity will hurt their
customers and will give at least partial support for a non-official
port of grsecurity.

> William
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
> 



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] grsec go or no-go call for 3.6

Stuart Cardall
Details
Message ID
<ef7a7202-131f-7832-5960-9fe31ec65998@it-offshore.co.uk>
In-Reply-To
<20170405220743.0fb80170@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1491429979
DKIM signature
missing
Download raw message
If possible it would be good to keep grsecurity. It mitigates attacks on
php-fpm:

"bruteforce prevention initiated for the next 30 minutes or until
service restarted, stalling each fork 30 seconds."

Stuart.


On 04/05/2017 09:07 PM, Natanael Copa wrote:
> On Sun, 2 Apr 2017 21:18:16 -0500
> William Pitcock <nenolod@dereferenced.org> wrote:
>
>> Hello,
>>
>> On Sun, Apr 2, 2017 at 2:54 PM, Francesco  Colista
>> <fcolista@alpinelinux.org> wrote:
>>> Il 2017-04-02 00:39 William Pitcock ha scritto:  
>>>> Hello,
>>>>
>>>> It is getting to the point to decide whether we wish to continue
>>>> including grsec kernel for 3.6.
>>>> There are three options that I can see:
>>>>
>>>> 1. Ship grsec in Alpine 3.6 and see what happens.  Revisit this issue
>>>> in Alpine 3.7.  
>>>
>>> One of the paradigm of Alpine is "secure".
>>> grsec contributed so far in making Alpine "secure".  
>> How has grsec improved the security of aarch64, ppc64le or s390x?
>> It has been previously proposed to remove grsec at the same time that
>> we remove support for 32-bit x86, should that ever happen.
>>
>>> I would not make any important decision based on a "possibility", rahter on
>>> official announcements.  
>> Unfortunately, we do need to make a decision.
> I think we try keep grsecurity for v3.6.
>
>> While it is true that upstream may ultimately decide to not withdraw
>> the testing patches, it can very easily go the other way.
>> Upstream's rationale for withdrawing the testing patches have to do
>> with the KSPP project (which is basically incrementally reimplementing
>> grsec in mainline), which has the possibility of negatively impacting
>> revenue.
> And KSPP is like a decade behind, they will have to negotiate the
> features (vs speed for example) with the other developers, so they will
> never reach the level of protection that Grsecurity provides.
>
>> Of course, upstream is still invited to comment on whether or not he
>> ultimately plans to withdraw the patches or not.
> It may be that they will provide the testing patches every 2 years, (or
> maybe even for every new LTS kernel). I hope they will realize that
> killing the "community" and ecosystem around grsecurity will hurt their
> customers and will give at least partial support for a non-official
> port of grsecurity.
>
>> William
>>
>>
>> ---
>> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
>> Help:         alpine-devel+help@lists.alpinelinux.org
>> ---
>>
>
>
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
>