New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grsecurity: discontinue support #25277
Conversation
Upstream has decided to make -testing patches private, effectively ceasing free support for grsecurity/PaX [1]. Consequently, we can no longer responsibly support grsecurity on NixOS. As a first step turn the patch & kernel expressions into eval errors. It's unclear whether we might want to prune all grsec/PaX stuff from the tree --- the infrastructure might be useful to users wishing to build NixOS against grsec patches they've paid for. OTOH, I certainly cannot support that use-case so bit-rot is a real concern. [1]: https://grsecurity.net/passing_the_baton.php
cc @copumpkin |
To clarify, my preference is to prune all PaX/grsec stuff. |
My inclination would be to wait a bit and see how the other communities react to it, and then do what they do, possibly shifting this stuff into a separate less maintained repo that people can import as needed if they have access to the private patches. |
For context, arch linux is dropping support as well: https://lists.archlinux.org/pipermail/arch-general/2017-April/043604.html From my end, I consider support to be over here as well, but it's of course open to others to continue it :) |
Merged a squashed variant of this. |
😦 We should probably kill all the paxmark support in the stdenv and various packages too, then. |
I'd delete the paxmark stuff last, but certainly all the rest should be pruned in good time before 17.09 at least, I'm sad to say. |
The rationale for holding on to paxmark for a while longer than the rest is that it's fairly low impact and it can feasibly be useful for somebody wanting to use nixpkgs on their paid-for-grsec system. |
Fair enough! |
I'm strongly in favor of just deleting everything, TBH. Supporting dead code for use-cases barely anyone will have (not just using NixOS but also paying a grsec license) only has negative effects, IMO. I agree with Micay from the Arch list: there are no good answers here and nothing is comparable. It's best to just drop it now, since it's going to be nothing but dead weight in the future. |
I certainly won't complain if somebody took it upon themselves to do the purge. From my pov, this is the minimally responsible change we can do, I'm just not in the mood to do much more on this for a while (it's quite a bit of effort turned to nothing, after all) ... |
It still seems possible that some people will fork it and continue a free/libre version, but I can't judge the likelihood of that. |
@vcunat my impression is that people are focusing on porting grsecurity/PaX features piecemeal with a view towards upstream integration. It looks like a gigantic amount of work, however, and the incentives to free ride are strong. I guess we can hope that one of the larger vendors "takes one for the team" as it were and puts forth the funds required to carry this forward, but right now it looks kind of bleak, I'm sad to say. Would like to be proven wrong, though! |
For those interested in further developments of grsecurity/PaX who might not have seen it, https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project#Progress_tracking may be of interest |
OK. Thanks for the information. |
Nixpkgs discontinued grsecurity support: #25277.
New page for linux (kernel) security developments, if someone is interested: |
/cc @Ericson2314 PR was #46857 This line broke MacOS cross compilation. paxctl cannot be built on macOS. Maybe it can be fixed, but no reason to break things unnecessarily. Regardless, you definitely need to be more careful about backporting. I think it’s fine to move fast and break things on master but with release-18.09 we should be more careful. Something like more automated testing for cross compilation would also be helpful (hopefully even making it block).
More then one year ago we removed grsecurity kernels from nixpkgs: NixOS#25277 This removes now also paxutils from stdenv.
More then one year ago we removed grsecurity kernels from nixpkgs: #25277 This removes now also paxutils from stdenv.
Upstream has decided to make -testing patches private, effectively ceasing free support for grsecurity/PaX 1. Consequently, we can no longer responsibly support grsecurity on NixOS.
As a first step turn the patch & kernel expressions into errors. It's unclear whether we might want to prune all grsec/PaX stuff from the tree --- the infrastructure might be useful to users wishing to build
NixOS against grsec patches they've paid for. OTOH, I certainly cannot support that use-case so bit-rot is a real concern.