Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Grsecurity: What will happen to Gentoo Hardened now ?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
el muchacho
Tux's lil' helper
Tux's lil' helper


Joined: 26 Mar 2015
Posts: 77

PostPosted: Wed Sep 02, 2015 9:51 am    Post subject: Grsecurity: What will happen to Gentoo Hardened now ? Reply with quote

As you are maybe aware, Grsecurity will stop publishing its stable kernel patches to the public:

Quote:
Therefore, two weeks from now, we will cease the public dissemination of the stable series and will make it available to sponsors only. The test series, unfit in our view for production use, will however continue to be available to the public to avoid impact to the Gentoo Hardened and Arch Linux communities. If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat's, described here or eventually stop the stable series entirely as it will be an unsustainable development model.

(full announcement here: https://grsecurity.net/announce.php


As a user of Gentoo hardened, i'm wondering what will happen to the hardened package in the portage tree ??

I haven't seen any communication on this topic on the Gentoo side even though technically, right now and since yesterday, there's no more Grsecurity stable patches available to the public !
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Wed Sep 02, 2015 9:53 am    Post subject: Reply with quote

According to this (german) site
http://www.heise.de/open/meldung/Linux-Verfuegbarkeit-der-Grsecurity-Erweiterung-wird-eingeschraenkt-2792474.html

gentoo will not suffer from it.
_________________
// valid again: I forgot about the git access. Now 1.2GB big. Start: 2015-06-25
git daily portage tree
Web: https://portage.schorsch-tech.de
git clone https://portage.schorsch-tech.de/portage.git
Back to top
View user's profile Send private message
WWWW
Tux's lil' helper
Tux's lil' helper


Joined: 30 Nov 2014
Posts: 143

PostPosted: Tue Sep 08, 2015 10:49 am    Post subject: Reply with quote

oh man, I miss heise englisht edition. I guess time to learn German.

If these news are true then the only other option left is NSA selinux? I thought Grsecurity was Hungarian.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3353

PostPosted: Tue Sep 08, 2015 3:52 pm    Post subject: Reply with quote

Read with Chrome - it will auto-translate for you.

It specifically says thatGentoo Hardened will not be affected, because it uses the development branch. It's that stable branch that's being removed.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 632
Location: granada, spain

PostPosted: Fri Oct 02, 2015 1:22 am    Post subject: Reply with quote

depontius wrote:
Read with Chrome - it will auto-translate for you.
It specifically says thatGentoo Hardened will not be affected, because it uses the development branch. It's that stable branch that's being removed.

well this is actually not true as it does affect gentoo because there won't be any long term hardened kernel like we had with 3.14.51 and 3.2.71 that are still in portage tree...
thus gentoo users can still play with the latest and hottest hardened kernel but if they want stable servers they'll need to patch their stable kernel theirself...
not a big deal if kernel patches would always cleanly apply to hardened sources...
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 632
Location: granada, spain

PostPosted: Wed Apr 26, 2017 3:57 pm    Post subject: Reply with quote

oh my... does this definitely mean the end of the gentoo-hardened project?
Back to top
View user's profile Send private message
rob_dot_p
n00b
n00b


Joined: 28 Jan 2017
Posts: 30

PostPosted: Wed Apr 26, 2017 5:46 pm    Post subject: Reply with quote

skunk wrote:
oh my... does this definitely mean the end of the gentoo-hardened project?


Interesting. And sad. Doesn't look like there's an obvious way around it. Could have announced it a bit sooner to give people who currently roll with the grsec testing patch more time.
Back to top
View user's profile Send private message
lukki
n00b
n00b


Joined: 23 Jul 2014
Posts: 11

PostPosted: Wed Apr 26, 2017 9:42 pm    Post subject: Reply with quote

Hi,

Bad news. I hope that gentoo-hardened dont die.
Back to top
View user's profile Send private message
rob_dot_p
n00b
n00b


Joined: 28 Jan 2017
Posts: 30

PostPosted: Thu Apr 27, 2017 12:30 am    Post subject: Reply with quote

lukki wrote:
Hi,

Bad news. I hope that gentoo-hardened dont die.


Well, a grsecurity-patched kernel, basically the core of hardened Gentoo, is off the table now.
There still is SELinux of course but no kernel hardening is a huge difference.
Back to top
View user's profile Send private message
nbrogan
n00b
n00b


Joined: 15 Apr 2017
Posts: 5

PostPosted: Thu Apr 27, 2017 11:50 pm    Post subject: Reply with quote

This is terrible news. The optimist in me hopes this might lead to an increased focus on the KSPP, and the eventual inclusion of at least some of the features of grsecurity into the kernel, but I'm not hopeful. Most likely, this just means a less secure kernel for everyone who can't pay for grsecurity, which is most people, outside large corporations.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2435

PostPosted: Fri Apr 28, 2017 12:09 am    Post subject: Reply with quote

nbrogan wrote:
This is terrible news. The optimist in me hopes this might lead to an increased focus on the KSPP, and the eventual inclusion of at least some of the features of grsecurity into the kernel, but I'm not hopeful. Most likely, this just means a less secure kernel for everyone who can't pay for grsecurity, which is most people, outside large corporations.


https://grsecurity.net/compare.php
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2435

PostPosted: Fri Apr 28, 2017 12:12 am    Post subject: Reply with quote

There is more than one thread on this on the forum right now.

I wonder what would be necessary for:

  1. Gentoo to get the patches commercially
  2. A small company to get the patches
  3. An individual to get the patches.


I read all the grsecurity announcements, so I know that the primary factor here is money. I'm just curious if anyone has done some research.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13028

PostPosted: Fri Apr 28, 2017 1:07 am    Post subject: Reply with quote

Money is only the initial gating factor. According to the commentary elsewhere, their terms currently provide that public redistribution would cancel the contract that gives access to the updates. Unless they grant some sort of exemption, which seems very unlikely, the patches are now effectively restricted to companies that voluntarily refrain from redistribution.
Back to top
View user's profile Send private message
deagol
n00b
n00b


Joined: 12 Jul 2014
Posts: 14

PostPosted: Fri Apr 28, 2017 11:43 am    Post subject: Reply with quote

I don't believe gresec will survive with the New Modell much longer. Of course they are in a better position to jude that than I and obviously they disagree... But lets see.

Keep in Kind that there is a forth method to geht the src, one very hard for their customer to control:
Buy one product using the patches and force the vendor to give you the src and then redistrubute it. So any potential customer oft theirs must be very careful where they deploy the gresec patches, to make sure nothing can be bought by anyone who may ask for the src and may even be entitled for updates...
I suspect that makes it much less atractive to buy the subsription from them. They must know that and have a plan. Will be interesting what...

As for today I just hope we can somehow find a way to at least maintain the current features and port them to newer kernels. But without a open community taking ober the baton some very nice security system will die.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41714
Location: 56N 3W

PostPosted: Fri Apr 28, 2017 12:08 pm    Post subject: Reply with quote

Its still early days. Several projects are doing their own thing. Such fragmentation won't help anyone.
There is at least one effort to upstream the existing (GPL) gresec patch set but naturally, that won't get new features. Well, not from the now gresec team anyway.

The fragmented organisation around 'picking up the baton' will coalesce and those with the skills and interests will take it forward.
The who what and where will not become apparent for several months. The 4.9 kernel is a LTS kernel, so the community has until 2019 to pick up the baton and start to run.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2435

PostPosted: Fri Apr 28, 2017 2:10 pm    Post subject: Reply with quote

NeddySeagoon wrote:
Its still early days. Several projects are doing their own thing. Such fragmentation won't help anyone.
There is at least one effort to upstream the existing (GPL) gresec patch set but naturally, that won't get new features. Well, not from the now gresec team anyway.

The fragmented organisation around 'picking up the baton' will coalesce and those with the skills and interests will take it forward.
The who what and where will not become apparent for several months. The 4.9 kernel is a LTS kernel, so the community has until 2019 to pick up the baton and start to run.


Really what does 'upstream the existing gresec patch set' entail? Politics aside, it would be pretty much what the Gentoo team does every time they merge the patch set with a new kernel right?

I'm not sure what the reasoning has been to not merge those patches as soon as they became available. It would be interesting to see what the main kernel devs have discussed with respect to that. I haven't seen anything negative about the patches with respect to quality or security of the code.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2435

PostPosted: Fri Apr 28, 2017 2:17 pm    Post subject: Reply with quote

Realistically speaking, accepting the patches into the kernel as they had been open sourced would have saved untold hours of work for both the grsecurity team and for every distro offering a hardened kernel. Frankly if I were on the grsecurity team I would be a little bent that nobody 'upstream' bothered to do this.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6242

PostPosted: Fri Apr 28, 2017 3:59 pm    Post subject: Reply with quote

1clue wrote:
would have saved untold hours of work

I don't have the links currently, but: It was already suggested upstream (not by the grsecurity team); Linus had commented on it and required some changes, rejected some others; grsecurity declared that they did not submit these patches and are not interested in including anything upstream.
It seems to me that the grsecurity team (or at least some persons from it) want this redundant work, because this is how they make their living.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2435

PostPosted: Fri Apr 28, 2017 5:05 pm    Post subject: Reply with quote

I'm reading some on it now. It seems that the grsecurity team wanted an all-or-nothing arrangement.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6242

PostPosted: Fri Apr 28, 2017 5:38 pm    Post subject: Reply with quote

1clue wrote:
It seems that the grsecurity team wanted an all-or-nothing arrangement.

But completely being aware that certain patches would never have a chance to be accepted. So this was just a handle to not ever bring anything upstream.
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 632
Location: granada, spain

PostPosted: Sat Apr 29, 2017 12:04 pm    Post subject: Reply with quote

an intersting read that puts some light about the whole issue...
this is confirming my fears about linux going more and more mainstream: funds and credits going the wrong way, doubtful useful software being pushed down the throat by almost all distros (systemd), caring less and less about security,...
maybe i should seriously consider openbsd for my next customer's servers :roll:
Back to top
View user's profile Send private message
h4rdened
n00b
n00b


Joined: 13 May 2017
Posts: 14

PostPosted: Sat May 27, 2017 4:25 am    Post subject: Reply with quote

Arrrggg... Well their decision to sell only can be understand, regarding the huge work for free they given the last 16 years.... (+ the stealing of their security tech)

Maybe if we are a lot buying the testing patch for personal use only, the price can be enough low for be affordable by anyone. Without grsecurity, hardened is dead.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2435

PostPosted: Sat May 27, 2017 5:54 am    Post subject: Reply with quote

They don't have a pricing option for an individual and don't intend to ever have one. I asked.

I also asked what their minimum pricing model was, got no answer.

Further they will not authorize distribution of their source to a third party, which specifically means there will be no linux kernel compiling by users of a distro if you want hardened kernels.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41714
Location: 56N 3W

PostPosted: Sat May 27, 2017 8:52 am    Post subject: Reply with quote

1clue,

How does that work with the GPL?

I buy say a Linux based network appliance, that's full of binaries. The vendor has to give me the GPL sources if I ask.
In practice, they tend to give me a list of links.

If the network appliance usur the hardened patch set, its a derived work of the kernel and therefore cover by the GPL.
I can see a contradiction there but not a resolution.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
tholin
Apprentice
Apprentice


Joined: 04 Oct 2008
Posts: 152

PostPosted: Sat May 27, 2017 11:01 am    Post subject: Reply with quote

NeddySeagoon wrote:
How does that work with the GPL?

Lots of info in the comments here:

https://lwn.net/Articles/720983/
https://lwn.net/Articles/721848/

The consensus seems to be that Open Source Security (the company behind grsecurity) can use those terms in their contract but that also makes it infeasible for companies to use the grsecurity patches in user products. That's a pretty big limitation on the usefulness of grsecurity.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum