grsecurity

In IPFire 2.15 - Core Update 77, grsecurity has been added to the IPFire distribution and was again removed in IPFire 2.21 - Core Update 121/122. This was necessary because the patchset was no longer publicly available to use.

We, the IPFire developers, regret to have come to the conclusion that grsecurity is no longer available for us to use. It has been helpful to fight against various vulnerabilities in the past and we have been actively contributing to it wherever we could. Unfortunately, the grsecurity project has made the decision to no longer publicly disclose the patchset ((https://lwn.net/Articles/721848/)) for reasons that we neither understand or agree with.

We have made the decision to move away from grsecurity since we cannot provide our kernels with constant patches and a swift release schedule would have been at risk. Basing our kernel on a project that is not working in the open and putting their own financial gain over security is not acceptable for us and many other projects who's steps we are following((https://www.gentoo.org/support/news-items/2017-08-19-hardened-sources-removal.html)).

From a technical perspective, there is nobody who is benefiting from the whole situation. grsecurity was the best way to protect the kernel and userland from various exploits. Luckily, the mainline kernel developers have been working on adapting some features of grsecurity((https://lwn.net/Articles/721750/)) and we are able to keep some of those features enabled in the IPFire kernel as well.

However, work is not done, yet and we welcome every help to continue working on hardening the mainline Linux kernel better.

Edit Page ‐ Yes, you can edit!

Older Revisions • July 31, 2018 at 3:13 pm • Michael Tremer