Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 18 Dec 2018 15:11:30 +0100
From: Solar Designer <solar@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Cc: James Hilliard <james.hilliard1@...il.com>
Subject: Re: grsecurity updated source code

On Mon, Dec 17, 2018 at 07:13:53PM -0700, James Hilliard wrote:
> I've obtained and uploaded a recent grsecurity kernel here:
> https://github.com/jameshilliard/linux-grsec/
> 
> From my understanding this is the stable patch.
> 
> Source code was obtained from a vendor via GPL request.

As a moderator, I reluctantly accepted James' message.  Here are the
aspects I considered:

- Availability of Linux kernel hardening changes is on-topic here.

- The kernel-hardening mailing list isn't limited to KSPP, so even if
KSPP's current stance is possibly not to use code from "closed"
grsecurity this doesn't make the message inappropriate for the list.

I also thought of many other aspects, but found them personal,
subjective, and/or outright irrelevant to my decision-making as a
moderator, so I didn't let them affect the moderation decision:

- Having this posted might result in some vendor's access to further
grsecurity patches getting revoked.  Maybe that will negatively affect
that vendors' product security, and thus security of their users.

- Having this posted might boost "accusations" against KSPP of
"stealing" "closed" grsecurity work, regardless of whether there will be
any use of this work by KSPP or not.  (I've seen such things stated as
if they were accusations on some discussion forums, but not
substantiated.  Now they might start referring to this thread.)

- The reasons not to reuse "closed" grsecurity work under KSPP are that
it's not independent innovation (does independent innovation have value
on its own or/and would it be NIH syndrome?), that there's still more
than enough to go through in older grsecurity, and that reusing the
"closed" grsecurity work would go against their preference.  As far as
I'm aware, there's nothing really stopping KSPP from doing that, and
doing it might be for the benefit of Linux users.

- I dislike the drama.  I wish James' message were never sent in here,
as having it posted might contribute to further drama.

- Having this posted might upset Brad.  That makes me unhappy.

- I guess having this posted won't negatively affect grsecurity's
business.  In fact, this is more like availability of a temporary
free trial, which might boost sales a bit later.

- I actually have mixed feelings about their business.  On one hand,
it's cutting-edge Linux kernel hardening work that still benefits some
users, and it's great that people are paid for the work.  On the other,
grsecurity has demonstrated that they may use money against free speech.

- At this point, I would be only slightly surprised if approving this
kind of messages results in Brad threatening me.  I still have enough
respect for him that I hope he won't.

I also thought of possibly not commenting on my moderation decision, or
not listing the "personal, subjective, and/or outright irrelevant"
thoughts above as they might contribute to the drama.  But in the end I
have included them, (naively?) hoping they'd help avoid further drama
and need to explain that/why these things didn't affect the decision.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.