All of lore.kernel.org
 help / color / mirror / Atom feed
From: Olof Johansson <olof@lixom.net>
To: Mathias Krause <minipli@googlemail.com>
Cc: "Kees Cook" <keescook@chromium.org>,
	"Daniel Cegiełka" <daniel.cegielka@gmail.com>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>
Subject: Re: [kernel-hardening] It looks like there will be no more public versions of PaX and Grsec.
Date: Mon, 1 May 2017 17:39:55 -0700	[thread overview]
Message-ID: <CAOesGMhn+ETGF4Q-ka5UU35D8pv-JeHozKnh_+eXD+evtpa5OA@mail.gmail.com> (raw)
In-Reply-To: <CA+rthh-CO287OpGun1-zYc-V632jSHRuwp=Hm0cAnbo1waJKsw@mail.gmail.com>

On Mon, May 1, 2017 at 3:01 PM, Mathias Krause <minipli@googlemail.com> wrote:

> The first point directly forces them to think through the upstream
> incarnation of a feature, how it differs from their original one and,
> for those parts, how to fix them up to work properly to fit their
> needs, to fit their security requirements. Those changes generate a
> lot of conflicts with their version of the code which takes time to
> fiddle out. As happened for __ro_after_init, MEMORY_SANITIZE,
> USERCOPY,... which only went in in reduced and modified form,
> generating needless work on their side -- from their point of view.

This is the classic pain point of initial upstreaming when you have
been out-of-tree for a long time. We see this all the time for
hardware support as well.

It's a hump to climb, and once you're over it, things settle down
again. The quicker you can get past it, the better off you are.

> The second point, the loose of control over the code, is even worse.
> Not getting any more conflicts when porting the grsecurity/PaX patch
> to a new kernel release makes changes to code that used to live in
> grsecurity/PaX probably go unnoticed. And, as it seem to be the case,
> upstream developers are not always familiar with all the gory details
> and might introduce weaknesses and bugs. This not only makes upstream
> Linux less secure, it makes grsecurity and PaX less secure, too.

The solution to this is to get involved and review code and educate
your peers when they're doing the wrong thing. Linux is developed and
managed based on influence, not control. Influence requires
participation and interaction.


-Olof

  parent reply	other threads:[~2017-05-02  0:39 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-26 21:05 [kernel-hardening] It looks like there will be no more public versions of PaX and Grsec Daniel Cegiełka
2017-04-26 22:04 ` Kees Cook
2017-05-01 22:01   ` Mathias Krause
2017-05-02  0:09     ` Rik van Riel
2017-05-02 14:46       ` Shawn
2017-05-02 18:55         ` Kees Cook
2017-05-03  4:50           ` Shawn
2017-05-03 18:56             ` Rik van Riel
2017-05-03 19:36               ` Daniel Micay
2017-05-04  5:45             ` Kees Cook
2017-05-04  6:47               ` Lionel Debroux
2017-05-05 19:54                 ` Kees Cook
2017-05-04 14:11               ` Shawn
2017-05-04 16:03                 ` Greg KH
2017-05-04 17:12                   ` Shawn
2017-05-04 17:23                     ` Greg KH
2017-05-02 21:16       ` Mathias Krause
2017-05-02 21:50         ` Casey Schaufler
2017-05-02 22:57         ` Kees Cook
2017-05-03 19:02         ` Rik van Riel
2017-05-03 19:27           ` Daniel Micay
2017-05-02  0:39     ` Olof Johansson [this message]
2017-05-02  0:44     ` Casey Schaufler
2017-05-02  0:54     ` Kees Cook
2017-05-11  1:24       ` PaX Team
2017-05-11 16:30         ` Daniel Micay
2017-05-11 18:02         ` Kees Cook
2017-05-12 11:34           ` Hunger
2017-07-31 13:38         ` Solar Designer
2017-05-02 11:11     ` David Gens
2017-05-02 21:27       ` Mathias Krause
2017-05-03  8:59         ` David Gens
2017-05-03 19:10           ` Rik van Riel
     [not found] <1788778362.1495506.1493751985632.ref@mail.yahoo.com>
2017-05-02 19:06 ` Lionel Debroux
2017-05-02 22:35   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAOesGMhn+ETGF4Q-ka5UU35D8pv-JeHozKnh_+eXD+evtpa5OA@mail.gmail.com \
    --to=olof@lixom.net \
    --cc=daniel.cegielka@gmail.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=minipli@googlemail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.