X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-qk0-f195.google.com (mail-qk0-f195.google.com [209.85.220.195]) by lists.alpinelinux.org (Postfix) with ESMTP id 73CF55C4727 for ; Thu, 6 Apr 2017 04:02:07 +0000 (GMT) Received: by mail-qk0-f195.google.com with SMTP id k139so4359542qke.2 for ; Wed, 05 Apr 2017 21:02:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BSgp03skXGTtnAeLe7MJgQrsJZgKn/tNRTbB2+7p5Ws=; b=Uz/cpuYPt1kIMakWu3bc/ZiAKRnPp/seMvQFqMGyoqcR+eN1Kp5bzQkfazPfbQvuG5 +Cpy08TqMNEXol97xk5I5q8VAiauhF9AA9JDZ3Q5EN0Zj+ezWCR9A41hsifjoKhVxOKU Cbv473U7d6tkgO99JqoXAPj60kgbi70syK8A/cH1wI4JHgRxTOJhifDbuwntPM2EUpTn JH8WSQrNcnmUl0qbn7qRxtYV+mSeDd3ibLJIYIaoZSSwdAuIRxa1MbRRt3UE4mL5XsOw CyNswcXeBREyXDFp9Fxa/JcDqrjyRE5mTrBMQ76gkH1TW8sejiORw39rxpAxlPAD2UmQ 1WYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BSgp03skXGTtnAeLe7MJgQrsJZgKn/tNRTbB2+7p5Ws=; b=Zfa7rQNxwe2akVz+7e8zmklVtV9jDtpo+5sEgLQdT/FUoHBKZHC592enGa//8kDQ5F MRN7aO+K49/Sj0ySMJ9L+6sUryLzHGsyCAlkmMjdbiRl68BEelbY/3BfqqyTiOmndJ19 1ruasCgXI3RaPsVjrwMXXjZ0otou7fgbkt5sJ4/en2jRzHVqr5TzA3gTIeyjd1ZpiR4c JdjdexgrGE48tigxaetYWyGcYm7Q07gRqkyKqF3KqhdVTV5KPxFarRFktY8lzhdwZb/R szYVwxjOv5J4zq99nK/6njlcfrWL4bBRah20aYzVyK6RyhqI69ia0QfDEYEvfPW0RSVr NUrA== X-Gm-Message-State: AFeK/H1qRjN+ejX3UJ/lXPmn9fz8pDvq+vU/k8Zx1nFL2hfKfrB+WHgt1aN5TtzILQ//T6K6BzXInHrgHV6uJQ== X-Received: by 10.55.115.67 with SMTP id o64mr33470210qkc.215.1491451326891; Wed, 05 Apr 2017 21:02:06 -0700 (PDT) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.140.22.212 with HTTP; Wed, 5 Apr 2017 21:02:06 -0700 (PDT) Received: by 10.140.22.212 with HTTP; Wed, 5 Apr 2017 21:02:06 -0700 (PDT) In-Reply-To: References: <6cb1b9fe292e94575683ea97bafe2c61@alpinelinux.org> <20170405220743.0fb80170@ncopa-desktop.copa.dup.pw> From: Jens Staal Date: Thu, 6 Apr 2017 06:02:06 +0200 Message-ID: Subject: Re: [alpine-devel] grsec go or no-go call for 3.6 To: developer@it-offshore.co.uk Cc: alpine-devel@lists.alpinelinux.org Content-Type: multipart/alternative; boundary=001a114ff3b68a2627054c779248 --001a114ff3b68a2627054c779248 Content-Type: text/plain; charset=UTF-8 Arch linux is using grsec on kernel 4.9. https://www.archlinux.org/packages/community/i686/linux-grsec/ Perhaps it would be good to ask that maintainer what their plans are. I did not find any new announcements on the grsec web page except the announcement from 2015 where they explicitly say that they still want that the patches are available for the hardened Arch and Gentoo projects. Den 6 apr. 2017 00:07 skrev "Stuart Cardall" : If possible it would be good to keep grsecurity. It mitigates attacks on php-fpm: "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds." Stuart. On 04/05/2017 09:07 PM, Natanael Copa wrote: On Sun, 2 Apr 2017 21:18:16 -0500 William Pitcock wrote: Hello, On Sun, Apr 2, 2017 at 2:54 PM, Francesco Colista wrote: Il 2017-04-02 00:39 William Pitcock ha scritto: Hello, It is getting to the point to decide whether we wish to continue including grsec kernel for 3.6. There are three options that I can see: 1. Ship grsec in Alpine 3.6 and see what happens. Revisit this issue in Alpine 3.7. One of the paradigm of Alpine is "secure". grsec contributed so far in making Alpine "secure". How has grsec improved the security of aarch64, ppc64le or s390x? It has been previously proposed to remove grsec at the same time that we remove support for 32-bit x86, should that ever happen. I would not make any important decision based on a "possibility", rahter on official announcements. Unfortunately, we do need to make a decision. I think we try keep grsecurity for v3.6. While it is true that upstream may ultimately decide to not withdraw the testing patches, it can very easily go the other way. Upstream's rationale for withdrawing the testing patches have to do with the KSPP project (which is basically incrementally reimplementing grsec in mainline), which has the possibility of negatively impacting revenue. And KSPP is like a decade behind, they will have to negotiate the features (vs speed for example) with the other developers, so they will never reach the level of protection that Grsecurity provides. Of course, upstream is still invited to comment on whether or not he ultimately plans to withdraw the patches or not. It may be that they will provide the testing patches every 2 years, (or maybe even for every new LTS kernel). I hope they will realize that killing the "community" and ecosystem around grsecurity will hurt their customers and will give at least partial support for a non-official port of grsecurity. William --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- --001a114ff3b68a2627054c779248 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Arch linux is using grsec on kernel 4.9.


Perhaps it would be good to ask that maintainer what their plan= s are.
I did not find any new announcements on the g= rsec web page except the announcement from 2015 where they explicitly say t= hat they still want that the patches are available for the hardened Arch an= d Gentoo projects.


Den 6 apr. 2017 00:07 skrev "= ;Stuart Cardall" <de= veloper@it-offshore.co.uk>:
=20 =20 =20

If possible it would be good to keep grsecurity. It mitigates attacks on php-fpm:

"bruteforce prevent= ion initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds."

Stuart.


On 04/05/2017 09:07= PM, Natanael Copa wrote:
On Sun, 2 Apr 2017 21:18:16 -0500
William Pitcock <nenolod@derefer=
enced.org> wrote:

Hello,

On Sun, Apr 2, 2017 at 2:54 PM, Francesco  Colista
<fcolista@alpinelinux.org> wrote:
Il 2017-04-02 00:39 William Pitcock ha scritto: =20
Hello,

It is getting to the point to decide whether we wish to continue
including grsec kernel for 3.6.
There are three options that I can see:

1. Ship grsec in Alpine 3.6 and see what happens.  Revisit this issue
in Alpine 3.7. =20
One of the paradigm of Alpine is "secure".
grsec contributed so far in making Alpine "secure". =20
How has grsec improved the security of aarch64, ppc64le or s39=
0x?
It has been previously proposed to remove grsec at the same time that
we remove support for 32-bit x86, should that ever happen.

I would not make any important decision based on a "pos=
sibility", rahter on
official announcements. =20
Unfortunately, we do need to make a decision.
I think we try keep grsecurity for v3.6.

While it is true that upstream may ultimately decide to not wi=
thdraw
the testing patches, it can very easily go the other way.
Upstream's rationale for withdrawing the testing patches have to do
with the KSPP project (which is basically incrementally reimplementing
grsec in mainline), which has the possibility of negatively impacting
revenue.
And KSPP is like a decade behind, they will have to negotiate th=
e
features (vs speed for example) with the other developers, so they will
never reach the level of protection that Grsecurity provides.

Of course, upstream is still invited to comment on whether or =
not he
ultimately plans to withdraw the patches or not.
It may be that they will provide the testing patches every 2 yea=
rs, (or
maybe even for every new LTS kernel). I hope they will realize that
killing the "community" and ecosystem around grsecurity will hurt=
 their
customers and will give at least partial support for a non-official
port of grsecurity.

William


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alp=
ine-devel+help@lists.alpinelinux.org
---

---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alp=
ine-devel+help@lists.alpinelinux.org
---



--001a114ff3b68a2627054c779248-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---