View previous topic :: View next topic |
Author |
Message |
el muchacho Tux's lil' helper
Joined: 26 Mar 2015 Posts: 78
|
Posted: Wed Sep 02, 2015 9:51 am Post subject: Grsecurity: What will happen to Gentoo Hardened now ? |
|
|
As you are maybe aware, Grsecurity will stop publishing its stable kernel patches to the public:
Quote: | Therefore, two weeks from now, we will cease the public dissemination of the stable series and will make it available to sponsors only. The test series, unfit in our view for production use, will however continue to be available to the public to avoid impact to the Gentoo Hardened and Arch Linux communities. If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat's, described here or eventually stop the stable series entirely as it will be an unsustainable development model.
(full announcement here: https://grsecurity.net/announce.php |
As a user of Gentoo hardened, i'm wondering what will happen to the hardened package in the portage tree ??
I haven't seen any communication on this topic on the Gentoo side even though technically, right now and since yesterday, there's no more Grsecurity stable patches available to the public ! |
|
Back to top |
|
|
schorsch_76 Guru
Joined: 19 Jun 2012 Posts: 450
|
|
Back to top |
|
|
WWWW Tux's lil' helper
Joined: 30 Nov 2014 Posts: 143
|
Posted: Tue Sep 08, 2015 10:49 am Post subject: |
|
|
oh man, I miss heise englisht edition. I guess time to learn German.
If these news are true then the only other option left is NSA selinux? I thought Grsecurity was Hungarian. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Tue Sep 08, 2015 3:52 pm Post subject: |
|
|
Read with Chrome - it will auto-translate for you.
It specifically says thatGentoo Hardened will not be affected, because it uses the development branch. It's that stable branch that's being removed. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Fri Oct 02, 2015 1:22 am Post subject: |
|
|
depontius wrote: | Read with Chrome - it will auto-translate for you.
It specifically says thatGentoo Hardened will not be affected, because it uses the development branch. It's that stable branch that's being removed. |
well this is actually not true as it does affect gentoo because there won't be any long term hardened kernel like we had with 3.14.51 and 3.2.71 that are still in portage tree...
thus gentoo users can still play with the latest and hottest hardened kernel but if they want stable servers they'll need to patch their stable kernel theirself...
not a big deal if kernel patches would always cleanly apply to hardened sources... |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Wed Apr 26, 2017 3:57 pm Post subject: |
|
|
oh my... does this definitely mean the end of the gentoo-hardened project? |
|
Back to top |
|
|
rob_dot_p n00b
Joined: 28 Jan 2017 Posts: 30
|
Posted: Wed Apr 26, 2017 5:46 pm Post subject: |
|
|
skunk wrote: | oh my... does this definitely mean the end of the gentoo-hardened project? |
Interesting. And sad. Doesn't look like there's an obvious way around it. Could have announced it a bit sooner to give people who currently roll with the grsec testing patch more time. |
|
Back to top |
|
|
lukki n00b
Joined: 23 Jul 2014 Posts: 11
|
Posted: Wed Apr 26, 2017 9:42 pm Post subject: |
|
|
Hi,
Bad news. I hope that gentoo-hardened dont die. |
|
Back to top |
|
|
rob_dot_p n00b
Joined: 28 Jan 2017 Posts: 30
|
Posted: Thu Apr 27, 2017 12:30 am Post subject: |
|
|
lukki wrote: | Hi,
Bad news. I hope that gentoo-hardened dont die. |
Well, a grsecurity-patched kernel, basically the core of hardened Gentoo, is off the table now.
There still is SELinux of course but no kernel hardening is a huge difference. |
|
Back to top |
|
|
nbrogan n00b
Joined: 15 Apr 2017 Posts: 5
|
Posted: Thu Apr 27, 2017 11:50 pm Post subject: |
|
|
This is terrible news. The optimist in me hopes this might lead to an increased focus on the KSPP, and the eventual inclusion of at least some of the features of grsecurity into the kernel, but I'm not hopeful. Most likely, this just means a less secure kernel for everyone who can't pay for grsecurity, which is most people, outside large corporations. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Fri Apr 28, 2017 12:09 am Post subject: |
|
|
nbrogan wrote: | This is terrible news. The optimist in me hopes this might lead to an increased focus on the KSPP, and the eventual inclusion of at least some of the features of grsecurity into the kernel, but I'm not hopeful. Most likely, this just means a less secure kernel for everyone who can't pay for grsecurity, which is most people, outside large corporations. |
https://grsecurity.net/compare.php |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Fri Apr 28, 2017 12:12 am Post subject: |
|
|
There is more than one thread on this on the forum right now.
I wonder what would be necessary for:
- Gentoo to get the patches commercially
- A small company to get the patches
- An individual to get the patches.
I read all the grsecurity announcements, so I know that the primary factor here is money. I'm just curious if anyone has done some research. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21490
|
Posted: Fri Apr 28, 2017 1:07 am Post subject: |
|
|
Money is only the initial gating factor. According to the commentary elsewhere, their terms currently provide that public redistribution would cancel the contract that gives access to the updates. Unless they grant some sort of exemption, which seems very unlikely, the patches are now effectively restricted to companies that voluntarily refrain from redistribution. |
|
Back to top |
|
|
deagol n00b
Joined: 12 Jul 2014 Posts: 61
|
Posted: Fri Apr 28, 2017 11:43 am Post subject: |
|
|
I don't believe gresec will survive with the New Modell much longer. Of course they are in a better position to jude that than I and obviously they disagree... But lets see.
Keep in Kind that there is a forth method to geht the src, one very hard for their customer to control:
Buy one product using the patches and force the vendor to give you the src and then redistrubute it. So any potential customer oft theirs must be very careful where they deploy the gresec patches, to make sure nothing can be bought by anyone who may ask for the src and may even be entitled for updates...
I suspect that makes it much less atractive to buy the subsription from them. They must know that and have a plan. Will be interesting what...
As for today I just hope we can somehow find a way to at least maintain the current features and port them to newer kernels. But without a open community taking ober the baton some very nice security system will die. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54097 Location: 56N 3W
|
Posted: Fri Apr 28, 2017 12:08 pm Post subject: |
|
|
Its still early days. Several projects are doing their own thing. Such fragmentation won't help anyone.
There is at least one effort to upstream the existing (GPL) gresec patch set but naturally, that won't get new features. Well, not from the now gresec team anyway.
The fragmented organisation around 'picking up the baton' will coalesce and those with the skills and interests will take it forward.
The who what and where will not become apparent for several months. The 4.9 kernel is a LTS kernel, so the community has until 2019 to pick up the baton and start to run. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Fri Apr 28, 2017 2:10 pm Post subject: |
|
|
NeddySeagoon wrote: | Its still early days. Several projects are doing their own thing. Such fragmentation won't help anyone.
There is at least one effort to upstream the existing (GPL) gresec patch set but naturally, that won't get new features. Well, not from the now gresec team anyway.
The fragmented organisation around 'picking up the baton' will coalesce and those with the skills and interests will take it forward.
The who what and where will not become apparent for several months. The 4.9 kernel is a LTS kernel, so the community has until 2019 to pick up the baton and start to run. |
Really what does 'upstream the existing gresec patch set' entail? Politics aside, it would be pretty much what the Gentoo team does every time they merge the patch set with a new kernel right?
I'm not sure what the reasoning has been to not merge those patches as soon as they became available. It would be interesting to see what the main kernel devs have discussed with respect to that. I haven't seen anything negative about the patches with respect to quality or security of the code. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Fri Apr 28, 2017 2:17 pm Post subject: |
|
|
Realistically speaking, accepting the patches into the kernel as they had been open sourced would have saved untold hours of work for both the grsecurity team and for every distro offering a hardened kernel. Frankly if I were on the grsecurity team I would be a little bent that nobody 'upstream' bothered to do this. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Fri Apr 28, 2017 3:59 pm Post subject: |
|
|
1clue wrote: | would have saved untold hours of work |
I don't have the links currently, but: It was already suggested upstream (not by the grsecurity team); Linus had commented on it and required some changes, rejected some others; grsecurity declared that they did not submit these patches and are not interested in including anything upstream.
It seems to me that the grsecurity team (or at least some persons from it) want this redundant work, because this is how they make their living. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Fri Apr 28, 2017 5:05 pm Post subject: |
|
|
I'm reading some on it now. It seems that the grsecurity team wanted an all-or-nothing arrangement. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Fri Apr 28, 2017 5:38 pm Post subject: |
|
|
1clue wrote: | It seems that the grsecurity team wanted an all-or-nothing arrangement. |
But completely being aware that certain patches would never have a chance to be accepted. So this was just a handle to not ever bring anything upstream. |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Sat Apr 29, 2017 12:04 pm Post subject: |
|
|
an intersting read that puts some light about the whole issue...
this is confirming my fears about linux going more and more mainstream: funds and credits going the wrong way, doubtful useful software being pushed down the throat by almost all distros (systemd), caring less and less about security,...
maybe i should seriously consider openbsd for my next customer's servers |
|
Back to top |
|
|
h4rdened n00b
Joined: 13 May 2017 Posts: 14
|
Posted: Sat May 27, 2017 4:25 am Post subject: |
|
|
Arrrggg... Well their decision to sell only can be understand, regarding the huge work for free they given the last 16 years.... (+ the stealing of their security tech)
Maybe if we are a lot buying the testing patch for personal use only, the price can be enough low for be affordable by anyone. Without grsecurity, hardened is dead. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Sat May 27, 2017 5:54 am Post subject: |
|
|
They don't have a pricing option for an individual and don't intend to ever have one. I asked.
I also asked what their minimum pricing model was, got no answer.
Further they will not authorize distribution of their source to a third party, which specifically means there will be no linux kernel compiling by users of a distro if you want hardened kernels. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54097 Location: 56N 3W
|
Posted: Sat May 27, 2017 8:52 am Post subject: |
|
|
1clue,
How does that work with the GPL?
I buy say a Linux based network appliance, that's full of binaries. The vendor has to give me the GPL sources if I ask.
In practice, they tend to give me a list of links.
If the network appliance usur the hardened patch set, its a derived work of the kernel and therefore cover by the GPL.
I can see a contradiction there but not a resolution. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
tholin Apprentice
Joined: 04 Oct 2008 Posts: 200
|
Posted: Sat May 27, 2017 11:01 am Post subject: |
|
|
NeddySeagoon wrote: | How does that work with the GPL? |
Lots of info in the comments here:
https://lwn.net/Articles/720983/
https://lwn.net/Articles/721848/
The consensus seems to be that Open Source Security (the company behind grsecurity) can use those terms in their contract but that also makes it infeasible for companies to use the grsecurity patches in user products. That's a pretty big limitation on the usefulness of grsecurity. |
|
Back to top |
|
|
|