[arch-general] End of official PaX and grsecurity support in Arch Linux

Carsten Mattner carstenmattner at gmail.com
Thu Apr 27 19:11:10 UTC 2017


This is an undesirable situation for users, but I want to offer a
positive outlook on this. Ever since KSPP started, some of the
dynamics started to shift and I wager that closing off grsec will
motivate more users and developers to consider supporting efforts that
are in mainline linux. Short-term this is a problem and may require
relying and hoping 4.9-lts-grsec will be available and functioning.
When Bitkeeper licensing was revoked from the community, it didn't
take long for git to emerge. I see a similar pattern and high
potential for repetition of the same dynamics here. No grsec will
force people to either subscribe ala RHEL and hope spender is able to
fulfill his end of the contract or supporting KSPP and seamless LSM
integration in major distro packages.

I must admit that spender may have started a process that will result
in arriving quicker at mainline kernel having a comparable set of
protections. Because as long as grsec was there and offered for
relatively recent kernels, there wasn't much motivation or arguments
to make to support a mainline reimplementation.

I believe this will light a fire under KSPP and related community
driven projects.

I faintly remember when there was OpenGrsec because grsec was dead or
zombie but that was at least a decade ago and my memory is probably
incomplete.

I mean some grsec users might consider fleeing to HardenedBSD since
they provide a whole system like Hardened Gentoo, especially those
using grsec on hosting servers where the availability of jails,
capsicum, zfs, dtrace, ports and hardenedbsd may have already looked
enticing.


More information about the arch-general mailing list