grsecurity forums

Are you guys planning a grsec patch for .16 ?

if you would read this forum, like for example two topics below this one, you would know the answer...

Yes, but that was only pax.

So, when there will be grsecurity for 2..6.16?

Regards.

i'd say "it's done when it's done"
yes, i also would like to have the patch today, but i think spender and pax team need time.

Zhenech wrote:i'd say "it's done when it's done"
yes, i also would like to have the patch today, but i think spender and pax team need time.

indeed, and that's the weekend only. and there's life besides computers.

Certainly. Still, there are people who try to plan things like firewall upgrades, server upgrades, hardware migrations etc. Normal sysadmin stuff, you know. It's highly disturbing when you don't know what to expect from a piece of software you've once chosen to play a key role in the systems you've built. It makes your decisions even harder when the developer of that software clearly says he won't care about even the roughest estimates of when you can expect anything happen. Predictability is the key here, you know. Now, correct me if I'm wrong, but I believe it's not so hard to estimate when a new version has a chance to be ready. People don't usually need exact dates. Things like 'in a month', 'in two weeks', 'a month after the release of a new kernel' and even 'we've stalled for some time, sorry, we'll tell you when we're able to go on with developement again', are usually enough. I'd say that's the key to being anything more than a nice gadget targeted at the computer enthusiasts.

Regards,

--
Lukasz Grochal

lgrochal wrote:
ertainly. Still, there are people who try to plan things like firewall upgrades, server upgrades, hardware migrations etc. Normal sysadmin stuff, you know. It's highly disturbing when you don't know what to expect from a piece of software you've once chosen to play a key role in the systems you've built. It makes your decisions even harder when the developer of that software clearly says he won't care about even the roughest estimates of when you can expect anything happen. Predictability is the key here, you know. Now, correct me if I'm wrong, but I believe it's not so hard to estimate when a new version has a chance to be ready. People don't usually need exact dates. Things like 'in a month', 'in two weeks', 'a month after the release of a new kernel' and even 'we've stalled for some time, sorry, we'll tell you when we're able to go on with developement again', are usually enough. I'd say that's the key to being anything more than a nice gadget targeted at the computer enthusiasts.

Regards,

--
Lukasz Grochal

IMHO , is not a problem to remain on an older kernel , said 2.6.14.x
The big problem is when 2.6.14.x has one or more security bug , wich is fixed with
a new version,said 2.6.15 or 2.6.14.x+1 .

It does not make sense to have a "grsecurity hardened" kernel , when this kernel has
a lot of bugs (security related or not) not fixed .

So it's better to choose a kernel that works with grsec , and in the meantime mantain it with patches released from the grsec team that addresses the various bugs (sec related or not) that this kernel will require .

This is my 2 cents .

bye

A good news:

With the release of the 2.6.16 Linux kernel, Adrian Bunk reiterated his previously debated intention of maintaining the 2.6.16.y kernel tree well into the future.

http://kerneltrap.org/node/6386

I have the patch essentially ported right now, but need to work out a problem or two with the PaX team before putting the patch up for testing. There were many changes between 2.6.14 and 2.6.16, some of which actually helped reduce the size of the patch a bit. Because of the many changes it's important that we do a thorough job of ensuring that the changes haven't affected grsecurity in any way (such as adding new system calls that could be unprotected in the RBAC system).

-Brad

Nice work Brad and Pax team.

I applied the 2.6.16 patch on 2.6.16.1 and it applied cleanly except for a i810 reject, but since I don't use i810 it shouldnt affect me.

lgrochal wrote:Certainly. Still, there are people who try to plan things like firewall upgrades, server upgrades, hardware migrations etc. Normal sysadmin stuff, you know. It's highly disturbing when you don't know what to expect from a piece of software you've once chosen to play a key role in the systems you've built. It makes your decisions even harder when the developer of that software clearly says he won't care about even the roughest estimates of when you can expect anything happen. Predictability is the key here, you know. Now, correct me if I'm wrong, but I believe it's not so hard to estimate when a new version has a chance to be ready. People don't usually need exact dates. Things like 'in a month', 'in two weeks', 'a month after the release of a new kernel' and even 'we've stalled for some time, sorry, we'll tell you when we're able to go on with developement again', are usually enough. I'd say that's the key to being anything more than a nice gadget targeted at the computer enthusiasts.

Regards,

--
Lukasz Grochal

i wasn't going to answer this but then i figured this might (as it had before) come up again and again, so better do it now. what you are missing in the above rant^Wcomplaint is that grsecurity is not a commercial paid-for service, you're using it for free and it was your decision to put it into a production environment despite all the other factors, not ours. if you want customer support then do what everyone else in charge of production systems does - choose a vendor and pay for their product and services.

regards,

second lieutenant gadget officer

Pax Team wrote:

i wasn't going to answer this but then i figured this might (as it had before) come up again and again, so better do it now. what you are missing in the above rant^Wcomplaint is that grsecurity is not a commercial paid-for service, you're using it for free and it was your decision to put it into a production environment despite all the other factors, not ours. if you want customer support then do what everyone else in charge of production systems does - choose a vendor and pay for their product and services.

regards,

second lieutenant gadget officer

Youre right, but mantaining the grsec patch by fixing security bug of the hosted kernel (2.4.14.x for example) could help people to make dontations to the project .

Bye

Pax Team, it is a philosphy comparable with making an axe and be surprised people uses it for wood cutting not children toy.

Such patches like grsecurity has no point besides production enviroment, people on their workstations doesn't need features grsecurity provides people running production, multiuser systems needs it, and such systems requires upgrades. We all appreciate non for profit effort but it requires attitude which actually fits to the idea of such software, otherwise you may just abandon the project because you are only wasting your precious time and start developing an MP3 player. Usually people starts non for profit initiatives to enjoy them, and for other people to share this joy, but you, instead of enjoying the fact your work has gained respect among sysadmins who do serious and responsible work and puts considerable amount of trust in this project, behave like we were some annoyance.

Regards.

PaX Team wrote:what you are missing in the above rant^Wcomplaint is that grsecurity is not a commercial paid-for service, you're using it for free and it was your decision to put it into a production environment despite all the other factors, not ours. if you want customer support then do what everyone else in charge of production systems does - choose a vendor and pay for their product and services.

It's actually the second time I see such a statement. The first was from Hans Reiser, about his ReiserFS filesystym, and was made after major problems with ReiserFS leading to data corruption were found in the code. It went essentially like: "yes, it's unstable, it will chew your data, but hey - you haven't paid a dime for it so what are you expecting? If you want your data back, pay me and I'll restore it for you." I've never used this FS since then. Guess I wasn't the only one to make this decission.

You've managed to completely miss my point (not only you, as a matter of fact). It's not about the software or software support. It's about the authors, their attitude, and their potential of being predictable in their work. It can't be bought, no matter how much money one'd have to spend for IT. It's something you earn with time.

Anyways, thanks for the clarification - this indeed will make the decisions easier.

So long, and thanks for all the fish

--
Lukasz Grochal