Re: Support Grsecurity/PaX

Home Messages Hashtags Subgroups

#22

Re: Support Grsecurity/PaX

Kevin P. Fleming (BLOOMBERG/ 731 LEX) #22 (sorry for top-posting, our message system doesn't believe anything else is possible) The funding for the fuzzing project is intentionally short-to-medium-term, with two goals: helping to learn the 'state of the world' (which will feed into the census, and future support/funding decisions), and producing better and easier-to-apply fuzzing tools so that project teams can run them on their own software to identify flaws as early as possible. It's definitely not a long-term 'fuzz test the world' project. The funding for Frama-C is for further development of the tool (and related tools), not funding to do static analysis of large bodies of open source software. As a result, neither of these are suitable comparisons to the request for funding of grsecurity/PaX. Such a request would be more comparable to funding OpenSSL, ntpd, etc. Those are also not open-ended funding commitments, but are based on achieving improvements (in some cases, milestones) to continue funding. It's certainly possible that the SC would consider a funding proposal for grsecurity/PaX, but such a proposal would need to include reasonably well defined goals/milestones, and there's no question that the committee discussion would include the topic of the in-tree/out-of-tree status of these tools. toggle quoted messageShow quoted text From: pageexec@... At: Aug 19 2015 17:56:13 To: Jason@..., dankohn@... Cc: cii-census@..., cii-discuss@..., spender@... Subject: Re: [cii-census] Support Grsecurity/PaX On 19 Aug 2015 at 13:37, Dan Kohn wrote: Hi Dan, > On Wed, Aug 19, 2015 at 11:32 AM, Jason A. Donenfeld <Jason@...> wrote: > > Of course there are worthwhile > > kernel projects that are not a part of mainline. > > One last question for you: could you name other such projects (not > necessarily security-related). Nearly every other out-of-mainline > project I'm aware of has eventually either merged or died out. Let's hope you only had bad luck and that's why you aren't aware of any of these ;) http://lttng.org/download/ http://www.sysdig.org/wiki/how-to-install-sysdig-from-the-source-code/ http://open-mx.gforge.inria.fr/download/ http://knem.gforge.inria.fr/download/ http://download.savannah.gnu.org/releases/davfs2/ http://www.openafs.org/release/index.html http://www.asterisk.org/downloads/dahdi https://www.virtualbox.org/wiki/Downloads https://www.jetico.com/linux/installation.html http://zfsonlinux.org/ http://aufs.sourceforge.net/ http://cryptodev-linux.org/download.html http://loop-aes.sourceforge.net/loop-AES/ https://www.rsbac.org/download http://cdemu.org/about/vhba/ https://github.com/vmware/open-vm-tools http://scst.sourceforge.net/downloads.html http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/ As for the requirement of mainlining grsec, it's not possible since we know right off the start that some of the features and other changes are not acceptable at all (say, all the x86 segmentation based code). Second, for the potentially viable pieces this would be a multi-year full time job. Is the CII willing to fund projects at that level? If not we all would end up with lots of unfinished and partially broken features. Third, you're actually wrong as to what is needed for mainline acceptance, it's most definitely not enough to dump the code on them and let the community figure it all out and take care of it. If anything, the exact opposite is true, for any non-trivial amount of code there has to be a pledge for long-term maintenance from the submitters (so regardless where grsec stays, in-tree or out-of-tree, the maintenance burden would still be ours for some years at least, with corresponding need of funding). Fourth, you mentioned the potential futility of not funding grsec indefinitely. It begs the question why it is then worth doing the same for the fuzzing project or Frama-C. I hope noone at CII believes that a year or two of fuzzing and static analysis will exterminate all bugs so what happens after their funding runs out? Or are you suggesting that they can be funded indefinitely but for some reason grsec could not be? In any case, it is your money and decision at the end and we thank you for your attention at least. However it is also clear that we have a different understanding of what constitutes securing the core infrastructure. cheers, PaX Team _______________________________________________ cii-census mailing list cii-census@... https://lists.coreinfrastructure.org/mailman/listinfo/cii-census
More All Posts By This Member

View All 18 Messages In Topic

#22

Join cii-census@lists.coreinfrastructure.org to automatically receive all group messages.