X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-qk0-f194.google.com (mail-qk0-f194.google.com [209.85.220.194]) by lists.alpinelinux.org (Postfix) with ESMTP id 512545C4EFD for ; Wed, 12 Jul 2017 07:18:19 +0000 (GMT) Received: by mail-qk0-f194.google.com with SMTP id 16so2028960qkg.2 for ; Wed, 12 Jul 2017 00:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dereferenced-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=x5aMygRLNxPReWd8GTxB9yaOTvc8Qq9hOoAX986NTcA=; b=HXNvi0DVaunTIo9bkL8mTP1mcXwHwsZEmmRbk0gfvH2h5JPs0c8TCCVc9oiY97tGaA 1Z/3UyExfpNCe4f5w9r+a53ymEpOwaxGiJ0E+gTyZrh0ZOTK+Aj+yMhYOTFNT3Y7nK/M oU+7Wm4qrbDVcaT9+/0ZBtQMbZcRPT1aNAEy3wjMs3MhV+lgpr4novlKQpqOrDrzjvkw YE1sxM3D0u83zwhvSeZDnWDOot2ta/r+Hob5fQ+GV8cv3Sj8xUrxO5+3qZsBYCSS1pBo WfTsE4f84/DWZ7cD0zKxQtihfiAb90qy+hnAY7VOTnn6Xfv/GJMqgrLsLsuIxK+Dxawn qciA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=x5aMygRLNxPReWd8GTxB9yaOTvc8Qq9hOoAX986NTcA=; b=R7L2J8WR2nSDjXzQPg7YWWvIWvSo5//a5SH52m9clBbBkhRwxYPWg2uuaKinTPUvey 5CkRso2QhEvF5tVHCY94ACkWk1Tw6npXJ6pitH9v0hTUIl8m8Yb06t/O9HyP/C0wDcD7 2J4dMlTZoNtmNTnBCCyI30Eobpwn9Jy3MGB6BOlTL+Fks5Fh2tnAfVJG359LXWNbAeME 6UAv/CVRbpMueXBfAIPdwV/4d++DzJH/lf/b39n5dJ36zYOkMyy2pbdjklMiipDY9okO vI+yCqzPgygSsa03agR8vsT0o5fTjFfIFYUYPF9Hndd3r6ehn/2I/fya6lGFA5sCUzVI Cslw== X-Gm-Message-State: AIVw112A+3ROHpkbM454Ii1dWyclNUiuPYkygmTyRuXwpQ0So5TLs2uw JgqZp5QhU+o4n4fRVdc3nbJZQBCYCYKdKHM= X-Received: by 10.55.182.4 with SMTP id g4mr4727355qkf.111.1499843898907; Wed, 12 Jul 2017 00:18:18 -0700 (PDT) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.200.46.23 with HTTP; Wed, 12 Jul 2017 00:18:18 -0700 (PDT) In-Reply-To: <20170706123402.7a5086d8@ncopa-desktop.copa.dup.pw> References: <20170702173750.GA1411@alpine> <20170706123402.7a5086d8@ncopa-desktop.copa.dup.pw> From: William Pitcock Date: Wed, 12 Jul 2017 02:18:18 -0500 Message-ID: Subject: Re: [alpine-devel] Linus & others v. grsecurity To: Natanael Copa Cc: =?UTF-8?B?Q8OhZw==?= , alpine-dev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, On Thu, Jul 6, 2017 at 5:34 AM, Natanael Copa wrote= : > On Sun, 2 Jul 2017 18:37:50 +0100 > C=C3=A1g wrote: > >> Hi everyone, >> >> I was reading news the other day and found this: >> https://www.spinics.net/lists/kernel/msg2540934.html > > The reason Linus calls it garbage is because its not split up, so it > cannot be included upstream: > > http://www.openwall.com/lists/oss-security/2017/06/24/14 > > Well, Linus also says he would prefer that Spender himself sent patches > for inclusion: > > http://www.openwall.com/lists/oss-security/2017/06/24/2 > >> In the comment section somebody linked this thread: >> http://seclists.org/oss-sec/2017/q2/583 > >> >> Bruce Perens warns about risks for grsecurity customers: >> http://perens.com/blog/2017/06/28/warning-grsecurity-potential-contribut= ory-infringement-risk-for-customers/ >> Earlier RMS said about GPL violation. > > Yeah, what they do is controversial. We don't break the GPL though. > >> Then there was this thing: >> https://twitter.com/marcan42/status/724745886794833920 >> Looks like this person and some others that replied were banned by >> grsecurity. > > They got banned from grsecurity twitter. After that grsecurity left > twitter, so he is banned from something that no longer exists. I don't think this is very interesting -- everyone by now knows the pros and cons of interacting with Brad. >> Considering the abovementioned, was it a good thing to start using >> their patches? > > When we started using their patches for more than 10 years ago, yes, it > was a good thing. They solved security issues back then that is not > solved in mainline until now. (the issue at hand that made it to media > was solved by Grsecurity around 2010-2011 something?) > > They were early (first?) with ASLR. We have always built our userspace > with PIE, bindnow and relro so we can fully utilize it. > > So I would definitively say it was a good thing to start using their > patches. > >> Is there a need in a hardened kernel overall? > > I think the link you provided answers that: > >> http://seclists.org/oss-sec/2017/q2/583 > > Grsecurity finds and fixes many issues in kernel that nobody else > notices/cares about (until it hits media as in the recent case) Yes but a lot of the bugfixes they do are undisclosed, so nobody knows about them, which is annoying. > So the question is: do we need to be ahead other distros when it comes > to kernel security? > > But there are some reasons to why we we should stop using it: > > - It is not good to depend on something unreliable (we don't know if we > can access future patches - there is no guarantee that they will give > us access even if we pay them) > - No support > - It requires much work to maintain the unofficial patch > - Their business model (Alpine is open source) > - They are difficult to co-operate with > > I want continue using it for as long as it is possible. Personally, having looked at strcat's work, I am optimistic, and basically I see a future where we can draw from KSPP, strcat's work, and our own work to provide a hardened kernel for Alpine 3.7. I'm not too worried about it. Ironically, strcat's work on tuning the Linux ASLR implementation scores better on paxtest than PaX, which I found interesting. William --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---