7 5

Re: [alpine-devel] grsec go or no-go call for 3.6

Jens Staal
Details
Message ID
<CAK8RtFrHJL+5mQxMHx+OYePeQJrnErdToUNELeWd-C8H28iP6A@mail.gmail.com>
Sender timestamp
1491451326
DKIM signature
missing
Download raw message
Arch linux is using grsec on kernel 4.9.

https://www.archlinux.org/packages/community/i686/linux-grsec/

Perhaps it would be good to ask that maintainer what their plans are.
I did not find any new announcements on the grsec web page except the
announcement from 2015 where they explicitly say that they still want that
the patches are available for the hardened Arch and Gentoo projects.


Den 6 apr. 2017 00:07 skrev "Stuart Cardall" <developer@it-offshore.co.uk>:

If possible it would be good to keep grsecurity. It mitigates attacks on
php-fpm:

"bruteforce prevention initiated for the next 30 minutes or until service
restarted, stalling each fork 30 seconds."

Stuart.

On 04/05/2017 09:07 PM, Natanael Copa wrote:

On Sun, 2 Apr 2017 21:18:16 -0500
William Pitcock <nenolod@dereferenced.org> <nenolod@dereferenced.org> wrote:


Hello,

On Sun, Apr 2, 2017 at 2:54 PM, Francesco
Colista<fcolista@alpinelinux.org> <fcolista@alpinelinux.org> wrote:

Il 2017-04-02 00:39 William Pitcock ha scritto:

Hello,

It is getting to the point to decide whether we wish to continue
including grsec kernel for 3.6.
There are three options that I can see:

1. Ship grsec in Alpine 3.6 and see what happens.  Revisit this issue
in Alpine 3.7.

One of the paradigm of Alpine is "secure".
grsec contributed so far in making Alpine "secure".

How has grsec improved the security of aarch64, ppc64le or s390x?
It has been previously proposed to remove grsec at the same time that
we remove support for 32-bit x86, should that ever happen.


I would not make any important decision based on a "possibility", rahter on
official announcements.

Unfortunately, we do need to make a decision.

I think we try keep grsecurity for v3.6.


While it is true that upstream may ultimately decide to not withdraw
the testing patches, it can very easily go the other way.
Upstream's rationale for withdrawing the testing patches have to do
with the KSPP project (which is basically incrementally reimplementing
grsec in mainline), which has the possibility of negatively impacting
revenue.

And KSPP is like a decade behind, they will have to negotiate the
features (vs speed for example) with the other developers, so they will
never reach the level of protection that Grsecurity provides.


Of course, upstream is still invited to comment on whether or not he
ultimately plans to withdraw the patches or not.

It may be that they will provide the testing patches every 2 years, (or
maybe even for every new LTS kernel). I hope they will realize that
killing the "community" and ecosystem around grsecurity will hurt their
customers and will give at least partial support for a non-official
port of grsecurity.


William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] grsec go or no-go call for 3.6

William Pitcock
Details
Message ID
<CA+T2pCFa0VteSPtV-VN5TTkGqUP5P6d=UD7zSVH0swC9KXqY0w@mail.gmail.com>
In-Reply-To
<CAK8RtFrHJL+5mQxMHx+OYePeQJrnErdToUNELeWd-C8H28iP6A@mail.gmail.com> (view parent)
Sender timestamp
1493228524
DKIM signature
missing
Download raw message
Hello,

On Wed, Apr 5, 2017 at 11:02 PM, Jens Staal <staal1978@gmail.com> wrote:
> Arch linux is using grsec on kernel 4.9.
>
> https://www.archlinux.org/packages/community/i686/linux-grsec/
>
> Perhaps it would be good to ask that maintainer what their plans are.
> I did not find any new announcements on the grsec web page except the
> announcement from 2015 where they explicitly say that they still want that
> the patches are available for the hardened Arch and Gentoo projects.

https://grsecurity.net/passing_the_baton.php

Its official now.  Which means we need to revisit this.  Do we want
the exposure for 3.6?

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] grsec go or no-go call for 3.6

Natanael Copa
Details
Message ID
<20170426210242.441cde5e@ncopa-macbook.copa.dup.pw>
In-Reply-To
<CA+T2pCFa0VteSPtV-VN5TTkGqUP5P6d=UD7zSVH0swC9KXqY0w@mail.gmail.com> (view parent)
Sender timestamp
1493233362
DKIM signature
missing
Download raw message
On Wed, 26 Apr 2017 12:42:04 -0500
William Pitcock <nenolod@dereferenced.org> wrote:

> Hello,
> 
> On Wed, Apr 5, 2017 at 11:02 PM, Jens Staal <staal1978@gmail.com> wrote:
> > Arch linux is using grsec on kernel 4.9.
> >
> > https://www.archlinux.org/packages/community/i686/linux-grsec/
> >
> > Perhaps it would be good to ask that maintainer what their plans are.
> > I did not find any new announcements on the grsec web page except the
> > announcement from 2015 where they explicitly say that they still want that
> > the patches are available for the hardened Arch and Gentoo projects.  
> 
> https://grsecurity.net/passing_the_baton.php
> 
> Its official now.  Which means we need to revisit this.  Do we want
> the exposure for 3.6?

I'd like to keep the grsec patch for 3.6. However, we need rename it. I
think we should call it 'linux-hardened'. That way we can remove the
patch later or switch to something else in future.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] grsec go or no-go call for 3.6

William Pitcock
Details
Message ID
<CA+T2pCGThx5YPzNUgcCjpSy0rddx+wCQYyEPOAhAuCcTZr+njw@mail.gmail.com>
In-Reply-To
<20170426210242.441cde5e@ncopa-macbook.copa.dup.pw> (view parent)
Sender timestamp
1493274863
DKIM signature
missing
Download raw message
Hello,

On Wed, Apr 26, 2017 at 2:02 PM, Natanael Copa <ncopa@alpinelinux.org> wrote:
> On Wed, 26 Apr 2017 12:42:04 -0500
> William Pitcock <nenolod@dereferenced.org> wrote:
>
>> Hello,
>>
>> On Wed, Apr 5, 2017 at 11:02 PM, Jens Staal <staal1978@gmail.com> wrote:
>> > Arch linux is using grsec on kernel 4.9.
>> >
>> > https://www.archlinux.org/packages/community/i686/linux-grsec/
>> >
>> > Perhaps it would be good to ask that maintainer what their plans are.
>> > I did not find any new announcements on the grsec web page except the
>> > announcement from 2015 where they explicitly say that they still want that
>> > the patches are available for the hardened Arch and Gentoo projects.
>>
>> https://grsecurity.net/passing_the_baton.php
>>
>> Its official now.  Which means we need to revisit this.  Do we want
>> the exposure for 3.6?
>
> I'd like to keep the grsec patch for 3.6. However, we need rename it. I
> think we should call it 'linux-hardened'. That way we can remove the
> patch later or switch to something else in future.

I took care of this in edge/3.6 already.  Whenever the current blocks
on the builders are resolved, this should go in fine.
It passed a local rebuild anyway.

When people upgrade their system, it will transition them to
linux-hardened if they have linux-grsec as soon as it lands.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] grsec go or no-go call for 3.6

Jean-Louis Fuchs
Details
Message ID
<20170427154956.GA6880@angua.1042.ch>
In-Reply-To
<20170426210242.441cde5e@ncopa-macbook.copa.dup.pw> (view parent)
Sender timestamp
1493308196
DKIM signature
missing
Download raw message
Hi

On Wed, Apr 26, 2017 at 09:02:42PM +0200, Natanael Copa wrote:
> I'd like to keep the grsec patch for 3.6. However, we need rename it. I
> think we should call it 'linux-hardened'. That way we can remove the
> patch later or switch to something else in future.

Could we actually find a sponsor and get a subscription? I mean the
source is GPL after all.

Best,
    Jean-Louis

Re: [alpine-devel] grsec go or no-go call for 3.6

Shiz
Details
Message ID
<ACD308E0-D424-4DDD-B37B-FBFF9E061F4C@shiz.me>
In-Reply-To
<20170427154956.GA6880@angua.1042.ch> (view parent)
Sender timestamp
1493367900
DKIM signature
missing
Download raw message
Not viable as machine count is part of the subscription count, which we can’t predict.
We also can’t redistribute the patch or the subscription will be terminated.

Personally I vote for maintaining grsec for 3.6 and renaming it.
For the 3.6 releases cycle, we should be reasonably able to maintain the patch against 4.9 LTS.
We have to revisit this for 3.7+, preferably soon after as 3.6 is released, though.

- Shiz

> On 27 Apr 2017, at 17:49, Jean-Louis Fuchs <ganwell@fangorn.ch> wrote:
> 
> Hi
> 
> On Wed, Apr 26, 2017 at 09:02:42PM +0200, Natanael Copa wrote:
>> I'd like to keep the grsec patch for 3.6. However, we need rename it. I
>> think we should call it 'linux-hardened'. That way we can remove the
>> patch later or switch to something else in future.
> 
> Could we actually find a sponsor and get a subscription? I mean the
> source is GPL after all.
> 
> Best,
>    Jean-Louis

Re: [alpine-devel] grsec go or no-go call for 3.6

Natanael Copa
Details
Message ID
<20170428140030.0867763f@ncopa-macbook.copa.dup.pw>
In-Reply-To
<CA+T2pCGThx5YPzNUgcCjpSy0rddx+wCQYyEPOAhAuCcTZr+njw@mail.gmail.com> (view parent)
Sender timestamp
1493380830
DKIM signature
missing
Download raw message
On Thu, 27 Apr 2017 01:34:23 -0500
William Pitcock <nenolod@dereferenced.org> wrote:

> Hello,
> 
> On Wed, Apr 26, 2017 at 2:02 PM, Natanael Copa <ncopa@alpinelinux.org> wrote:
>
> > I'd like to keep the grsec patch for 3.6. However, we need rename it. I
> > think we should call it 'linux-hardened'. That way we can remove the
> > patch later or switch to something else in future.  
> 
> I took care of this in edge/3.6 already.  Whenever the current blocks
> on the builders are resolved, this should go in fine.
> It passed a local rebuild anyway.
> 
> When people upgrade their system, it will transition them to
> linux-hardened if they have linux-grsec as soon as it lands.

I tried upgrade here.

apk upgrade replaced the grsec kernel with hardened. I just had to edit
my gummiboot config and everything was back to normal.

Thank you very much!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] grsec go or no-go call for 3.6

V.Krishn
Details
Message ID
<201705011532.49139.vkrishn4@gmail.com>
In-Reply-To
<ACD308E0-D424-4DDD-B37B-FBFF9E061F4C@shiz.me> (view parent)
Sender timestamp
1493632968
DKIM signature
missing
Download raw message
> Not viable as machine count is part of the subscription count, which we
> can’t predict. We also can’t redistribute the patch or the subscription
> will be terminated.
> 
> Personally I vote for maintaining grsec for 3.6 and renaming it.
> For the 3.6 releases cycle, we should be reasonably able to maintain the
> patch against 4.9 LTS. We have to revisit this for 3.7+, preferably soon
> after as 3.6 is released, though.

If dormant project like this can raise such a sum, I am sure a security 
project (close to kernel) can even larger.
eg. http://www.phoronix.com/scan.php?page=news_item&px=RoundCube-Next-
Silent-2017

Not sure what game is at play, but after small overview of other LSM/Non-LSM 
stackable/non-stackable projects, I think grsec should be kept alive atleast 
for 3 yrs or so (irrespective of alpinelinux uses it)
If original author does not like the idea of such crowdfunding, maybe it 
should be given a try by community/devs that forks it.

-- 
Regards.
V.Krishn

> 
> - Shiz
> 
> > On 27 Apr 2017, at 17:49, Jean-Louis Fuchs <ganwell@fangorn.ch> wrote:
> > 
> > Hi
> > 
> > On Wed, Apr 26, 2017 at 09:02:42PM +0200, Natanael Copa wrote:
> >> I'd like to keep the grsec patch for 3.6. However, we need rename it. I
> >> think we should call it 'linux-hardened'. That way we can remove the
> >> patch later or switch to something else in future.
> > 
> > Could we actually find a sponsor and get a subscription? I mean the
> > source is GPL after all.
> > 
> > Best,
> > 
> >    Jean-Louis


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---