~alpine/devel

1

[alpine-devel] grsec go or no-go call for 3.6

William Pitcock
Details
Message ID
<CA+T2pCGaas_84oGi-JvKH2+8xhpyjrfTUakFvv0wEczTJTN_Pg@mail.gmail.com>
Sender timestamp
1491086354
DKIM signature
missing
Download raw message
Hello,

It is getting to the point to decide whether we wish to continue
including grsec kernel for 3.6.

For those who are unaware, grsecurity author announced on his IRC
channel that the testing patches for grsecurity will be withdrawn at
some point in the future.  As we are dependent on the testing patches
to generate our own patches, this means that grsec package may become
unmaintainable in the future, likely as early as during the 3.6
release cycle.

If we are incorrect with this interpretation, the grsec author can
surely reply and let us know.

There are three options that I can see:

1. Ship grsec in Alpine 3.6 and see what happens.  Revisit this issue
in Alpine 3.7.

2. Keep grsec in edge, but block it in release branches -- this is
kinda messy because the 3.6 builders will start off building edge
until release day, so not sure what to do there (maybe we can
blacklist the package somehow?)

3. Drop grsec package in edge now.   Possibly have linux-vanilla
"provide" it so that users still get kernel upgrades (though this
means they would lose the grsec features and they may not want this
outcome).

Of note, we do not ship grsec on any architectures other than
x86/x86_64/armhf.  To date, new architectures have elected not to
provide grsec kernels, so this only affects x86/x86_64/armhf.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Francesco Colista
Details
Message ID
<6cb1b9fe292e94575683ea97bafe2c61@alpinelinux.org>
In-Reply-To
<CA+T2pCGaas_84oGi-JvKH2+8xhpyjrfTUakFvv0wEczTJTN_Pg@mail.gmail.com> (view parent)
Sender timestamp
1491162879
DKIM signature
missing
Download raw message
Il 2017-04-02 00:39 William Pitcock ha scritto:
> Hello,
> 
> It is getting to the point to decide whether we wish to continue
> including grsec kernel for 3.6.
> There are three options that I can see:
> 
> 1. Ship grsec in Alpine 3.6 and see what happens.  Revisit this issue
> in Alpine 3.7.

One of the paradigm of Alpine is "secure".
grsec contributed so far in making Alpine "secure".
I would not make any important decision based on a "possibility", rahter 
on official announcements.

Therefore, I vote for 1.
Thanks William for having brought up this discussion.


-- 
:: Francesco Colista
:: Alpine Linux Infrstraucture
:: http://www.alpinelinux.org
:: GnuPG ID: C4FB9584


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---