2.6.16 is out

Discuss and suggest new grsecurity features

2.6.16 is out

Postby forsaken » Mon Mar 20, 2006 4:16 am

Are you guys planning a grsec patch for .16 ?
forsaken
 
Posts: 74
Joined: Tue May 18, 2004 3:04 am

Postby Hal9000 » Mon Mar 20, 2006 5:36 am

if you would read this forum, like for example two topics below this one, you would know the answer...
Hal9000
 
Posts: 78
Joined: Wed Jun 16, 2004 2:40 am

Postby forsaken » Mon Mar 20, 2006 6:40 am

Yes, but that was only pax.
forsaken
 
Posts: 74
Joined: Tue May 18, 2004 3:04 am

Postby Platyna » Thu Mar 23, 2006 7:04 am

So, when there will be grsecurity for 2..6.16?

Regards.
Platyna
 
Posts: 17
Joined: Fri Jul 29, 2005 5:04 pm

Postby Zhenech » Thu Mar 23, 2006 8:40 am

i'd say "it's done when it's done"
yes, i also would like to have the patch today, but i think spender and pax team need time.
Zhenech
 
Posts: 10
Joined: Wed Jun 15, 2005 5:44 am

Postby PaX Team » Thu Mar 23, 2006 12:45 pm

Zhenech wrote:i'd say "it's done when it's done"
yes, i also would like to have the patch today, but i think spender and pax team need time.
indeed, and that's the weekend only. and there's life besides computers.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby lgrochal » Sat Mar 25, 2006 7:39 pm

Certainly. Still, there are people who try to plan things like firewall upgrades, server upgrades, hardware migrations etc. Normal sysadmin stuff, you know. It's highly disturbing when you don't know what to expect from a piece of software you've once chosen to play a key role in the systems you've built. It makes your decisions even harder when the developer of that software clearly says he won't care about even the roughest estimates of when you can expect anything happen. Predictability is the key here, you know. Now, correct me if I'm wrong, but I believe it's not so hard to estimate when a new version has a chance to be ready. People don't usually need exact dates. Things like 'in a month', 'in two weeks', 'a month after the release of a new kernel' and even 'we've stalled for some time, sorry, we'll tell you when we're able to go on with developement again', are usually enough. I'd say that's the key to being anything more than a nice gadget targeted at the computer enthusiasts.

Regards,

--
Lukasz Grochal
lgrochal
 
Posts: 2
Joined: Sat Mar 25, 2006 11:49 am

Postby buzzzo » Sun Mar 26, 2006 3:58 pm

lgrochal wrote:
ertainly. Still, there are people who try to plan things like firewall upgrades, server upgrades, hardware migrations etc. Normal sysadmin stuff, you know. It's highly disturbing when you don't know what to expect from a piece of software you've once chosen to play a key role in the systems you've built. It makes your decisions even harder when the developer of that software clearly says he won't care about even the roughest estimates of when you can expect anything happen. Predictability is the key here, you know. Now, correct me if I'm wrong, but I believe it's not so hard to estimate when a new version has a chance to be ready. People don't usually need exact dates. Things like 'in a month', 'in two weeks', 'a month after the release of a new kernel' and even 'we've stalled for some time, sorry, we'll tell you when we're able to go on with developement again', are usually enough. I'd say that's the key to being anything more than a nice gadget targeted at the computer enthusiasts.

Regards,

--
Lukasz Grochal


IMHO , is not a problem to remain on an older kernel , said 2.6.14.x
The big problem is when 2.6.14.x has one or more security bug , wich is fixed with
a new version,said 2.6.15 or 2.6.14.x+1 .

It does not make sense to have a "grsecurity hardened" kernel , when this kernel has
a lot of bugs (security related or not) not fixed .

So it's better to choose a kernel that works with grsec , and in the meantime mantain it with patches released from the grsec team that addresses the various bugs (sec related or not) that this kernel will require .

This is my 2 cents .

bye
buzzzo
 
Posts: 6
Joined: Tue Feb 18, 2003 12:41 pm

Postby zImage » Mon Mar 27, 2006 10:45 am

A good news:

With the release of the 2.6.16 Linux kernel, Adrian Bunk reiterated his previously debated intention of maintaining the 2.6.16.y kernel tree well into the future.

http://kerneltrap.org/node/6386
zImage
 
Posts: 10
Joined: Mon Mar 27, 2006 10:44 am

Postby spender » Tue Mar 28, 2006 9:19 pm

I have the patch essentially ported right now, but need to work out a problem or two with the PaX team before putting the patch up for testing. There were many changes between 2.6.14 and 2.6.16, some of which actually helped reduce the size of the patch a bit. Because of the many changes it's important that we do a thorough job of ensuring that the changes haven't affected grsecurity in any way (such as adding new system calls that could be unprotected in the RBAC system).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby forsaken » Thu Mar 30, 2006 6:26 am

Nice work Brad and Pax team.

I applied the 2.6.16 patch on 2.6.16.1 and it applied cleanly except for a i810 reject, but since I don't use i810 it shouldnt affect me.
forsaken
 
Posts: 74
Joined: Tue May 18, 2004 3:04 am

Postby PaX Team » Thu Mar 30, 2006 3:19 pm

lgrochal wrote:Certainly. Still, there are people who try to plan things like firewall upgrades, server upgrades, hardware migrations etc. Normal sysadmin stuff, you know. It's highly disturbing when you don't know what to expect from a piece of software you've once chosen to play a key role in the systems you've built. It makes your decisions even harder when the developer of that software clearly says he won't care about even the roughest estimates of when you can expect anything happen. Predictability is the key here, you know. Now, correct me if I'm wrong, but I believe it's not so hard to estimate when a new version has a chance to be ready. People don't usually need exact dates. Things like 'in a month', 'in two weeks', 'a month after the release of a new kernel' and even 'we've stalled for some time, sorry, we'll tell you when we're able to go on with developement again', are usually enough. I'd say that's the key to being anything more than a nice gadget targeted at the computer enthusiasts.

Regards,

--
Lukasz Grochal
i wasn't going to answer this but then i figured this might (as it had before) come up again and again, so better do it now. what you are missing in the above rant^Wcomplaint is that grsecurity is not a commercial paid-for service, you're using it for free and it was your decision to put it into a production environment despite all the other factors, not ours. if you want customer support then do what everyone else in charge of production systems does - choose a vendor and pay for their product and services.

regards,

second lieutenant gadget officer
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby buzzzo » Fri Mar 31, 2006 5:55 am

Pax Team wrote:


i wasn't going to answer this but then i figured this might (as it had before) come up again and again, so better do it now. what you are missing in the above rant^Wcomplaint is that grsecurity is not a commercial paid-for service, you're using it for free and it was your decision to put it into a production environment despite all the other factors, not ours. if you want customer support then do what everyone else in charge of production systems does - choose a vendor and pay for their product and services.

regards,

second lieutenant gadget officer


Youre right, but mantaining the grsec patch by fixing security bug of the hosted kernel (2.4.14.x for example) could help people to make dontations to the project .

Bye
buzzzo
 
Posts: 6
Joined: Tue Feb 18, 2003 12:41 pm

Postby Platyna » Fri Mar 31, 2006 11:00 am

Pax Team, it is a philosphy comparable with making an axe and be surprised people uses it for wood cutting not children toy.

Such patches like grsecurity has no point besides production enviroment, people on their workstations doesn't need features grsecurity provides people running production, multiuser systems needs it, and such systems requires upgrades. We all appreciate non for profit effort but it requires attitude which actually fits to the idea of such software, otherwise you may just abandon the project because you are only wasting your precious time and start developing an MP3 player. Usually people starts non for profit initiatives to enjoy them, and for other people to share this joy, but you, instead of enjoying the fact your work has gained respect among sysadmins who do serious and responsible work and puts considerable amount of trust in this project, behave like we were some annoyance.

Regards.
Platyna
 
Posts: 17
Joined: Fri Jul 29, 2005 5:04 pm

Postby lgrochal » Fri Mar 31, 2006 6:39 pm

PaX Team wrote:what you are missing in the above rant^Wcomplaint is that grsecurity is not a commercial paid-for service, you're using it for free and it was your decision to put it into a production environment despite all the other factors, not ours. if you want customer support then do what everyone else in charge of production systems does - choose a vendor and pay for their product and services.


It's actually the second time I see such a statement. The first was from Hans Reiser, about his ReiserFS filesystym, and was made after major problems with ReiserFS leading to data corruption were found in the code. It went essentially like: "yes, it's unstable, it will chew your data, but hey - you haven't paid a dime for it so what are you expecting? If you want your data back, pay me and I'll restore it for you." I've never used this FS since then. Guess I wasn't the only one to make this decission.

You've managed to completely miss my point (not only you, as a matter of fact). It's not about the software or software support. It's about the authors, their attitude, and their potential of being predictable in their work. It can't be bought, no matter how much money one'd have to spend for IT. It's something you earn with time.

Anyways, thanks for the clarification - this indeed will make the decisions easier.

So long, and thanks for all the fish ;)

--
Lukasz Grochal
lgrochal
 
Posts: 2
Joined: Sat Mar 25, 2006 11:49 am

Next

Return to grsecurity development

cron