Bug#867166: Future of linux-grec in Debian
I think this bug can be closed now. Jordan
Bug#867166: Future of linux-grec in Debian
On Fri, 2017-10-27 at 05:58 -0400, Jordan Glover wrote: > linux-grsec-base[1] is missing from stable-backports and I don't see it > being prepared for upload there[2]. Other than that this bug can be closed. > Thanks for your work. > > [1] https://tracker.debian.org/pkg/linux-grsec-base > [2] https://anonscm.debian.org/git/collab-maint/linux-grsec-base.git I was waiting for the image itself to be accepted, I'll prepare the linux- grsec-base backport next. Regards, -- Yves-Alexis
Bug#867166: Future of linux-grec in Debian
linux-grsec-base[1] is missing from stable-backports and I don't see it being prepared for upload there[2]. Other than that this bug can be closed. Thanks for your work. [1] https://tracker.debian.org/pkg/linux-grsec-base [2] https://anonscm.debian.org/git/collab-maint/linux-grsec-base.git
Bug#867166: Future of linux-grec in Debian
On Wed, 2017-10-04 at 18:29 -0400, Jordan Glover wrote: > I saw that new version landed in unstable. Is it possible to have it in > stable-backports? Yes, that's my intention, although I intend to let it stay in unstable for a bit before doing the stable-backports upload (and oldstable-backports). > I think it will be best to have it in stable-backports ONLY (without > unstable) where it can live until 4.9 kernel gets EOL. Unfortunately that's not possible. We already have an exception from the BPO team for not beeing in testing, not having the package in unstable looks even worse I guess. > In case of unstable the gap between vanilla kernel and 4.9 will get bigger > and bigger and userspace tools may want to use new features unavailable in > 4.9 LTS thus grsec value is lower there. I'm not sure what you mean by that. Which kind of tool? In any case any userland in buster needs to handle the kernel in stretch. > Of course if it's not possible let it be as it is. Thanks for your efforts. > > BTW: Here's some tools for building grsec kernel reproducible in case it's > useful to you. > https://github.com/hardenedlinux/grsecurity-reproducible-build Honestly I'm not sure I'll have time to take a look, but if people from the reproducible team want me to include some specific changes, let me know. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#867166: Future of linux-grec in Debian
I saw that new version landed in unstable. Is it possible to have it in stable-backports? I think it will be best to have it in stable-backports ONLY (without unstable) where it can live until 4.9 kernel gets EOL. In case of unstable the gap between vanilla kernel and 4.9 will get bigger and bigger and userspace tools may want to use new features unavailable in 4.9 LTS thus grsec value is lower there. Of course if it's not possible let it be as it is. Thanks for your efforts. BTW: Here's some tools for building grsec kernel reproducible in case it's useful to you. https://github.com/hardenedlinux/grsecurity-reproducible-build
Bug#867166: Future of linux-grec in Debian
On Tue, 2017-07-04 at 10:22 -0400, Jordan Glover wrote: > Thank you for the reply. It's great that you consider packaging one of the > forward ports. > > Just one more question - Is it possible for you to update current package to > latest official version (from 4.9.18 to 4.9.24)? That would be nice > temporary solution while you are too busy to make general decisions. I don't > know how much work is needed to do it so ignore this if that work is still > substantial. I might take a look but I'm not to keen on losing time to upgrade to an already outdated version, to be honest. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#867166: Future of linux-grec in Debian
Thank you for the reply. It's great that you consider packaging one of the forward ports. Just one more question - Is it possible for you to update current package to latest official version (from 4.9.18 to 4.9.24)? That would be nice temporary solution while you are too busy to make general decisions. I don't know how much work is needed to do it so ignore this if that work is still substantial. You can find official patches archived in: https://github.com/slashbeast/grsecurity-scrape/tree/master/test/4.9.24 https://github.com/linux-scraping/grsecurity-patches/tree/master/grsec-4.9
Bug#867166: Future of linux-grec in Debian
On Tue, 2017-07-04 at 08:25 -0400, Jordan Glover wrote: > I wanted to ask you about the future of linux-grsec in debian. The package > wasn't updated for some time and it's now at 4.9.18 version while last > official grsecurity version is 4.9.24. Additionally there are few forward > ports of grsecurity for 4.9 LTS kernel line [1],[2] . Hi, thanks for the bug report. Right now, my last position on this is still ht tps://www.corsac.net/?rub=blog&post=1587 and I didn't really have time to move forward (how unfortunate that can be). I'm toying with the idea to use Mathias Krause repository ([2] on your mail) but there might be some additional work besides just pulling the patch so I didn't really move forward on this. > > As 4.9 LTS kernel is used in current Debian stable release, something like > linux-unofficial_grsec, based on forward grsec ports for 4.9 kernel would be > a great addition for stable-backports and/or unstable. It could be abandoned > when 4.9 kernel gets EOL status. Hopefully by then mainline linux will get > some security improvements, currently worked on linux-hardened project [2] > and KSPP . Indeed. > > It will be nice to clarify linux-grsec package situation as users now get > stuck in limbo. Honestly, I'm still not clear on that, and I don't have a lot of spare time on this, so any additional work gets in the way. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#867166: Future of linux-grec in Debian
Source: linux-grsec Severity: serious I wanted to ask you about the future of linux-grsec in debian. The package wasn't updated for some time and it's now at 4.9.18 version while last official grsecurity version is 4.9.24. Additionally there are few forward ports of grsecurity for 4.9 LTS kernel line [1],[2] . As 4.9 LTS kernel is used in current Debian stable release, something like linux-unofficial_grsec, based on forward grsec ports for 4.9 kernel would be a great addition for stable-backports and/or unstable. It could be abandoned when 4.9 kernel gets EOL status. Hopefully by then mainline linux will get some security improvements, currently worked on linux-hardened project [2] and KSPP . As for now there is nothing comparable to grsecurity and loosing it completely would be huge blow for debian community. I know that Alpine Linux developers decided to continue maintaining their grsec a like kernel [3]. It will be nice to clarify linux-grsec package situation as users now get stuck in limbo. [1]https://github.com/dapperlinux/dapper-secure-kernel-patchset-stable [2] https://github.com/minipli/linux-unofficial_grsec/releases [3] https://github.com/thestinger/linux-hardened [4] https://pkgs.alpinelinux.org/package/edge/main/x86_64/linux-hardened