[Dev] Fwd: Re: Grsec and Linux-libre

Luke g4jc at openmailbox.org
Fri Dec 23 02:33:25 GMT 2016

FYI, Brad was kind enough to provide an automated removal tool for
applying grsec-libre patches.

Syntax is:
python2 librefix.py grsecurity-*.patch

Thank you Brad and Merry Christmas! :)

-------- Forwarded Message --------
Subject: 	Re: Grsec and Linux-libre
Date: 	Wed, 21 Dec 2016 22:01:22 -0500
From: 	Brad Spengler <spender at grsecurity.net>
To: 	Luke <g4jc at openmailbox.org>

Hi Luke,

Why not just the Python unidiff.PatchSet ?  It's trivial to remove
specific files from a diff that way.  Attached is a script that will do


On Thu, Dec 22, 2016 at 02:37:57AM +0000, Luke wrote:
> Hello Brad,
> We are still using grsec for our infrastructure at Parabola
> GNU/Linux-libre, and it is an essential part of our distribution.
> Thank you for continuing to offer the test patches for free.
> However, over the past year(?) or so a non-free firmware blob was added
> to grsec. 
> This causes grsec patch to fail when ran against the linux-libre kernel.
> ( http://www.fsfla.org/ikiwiki/selibre/linux-libre/ )
> I have also heard report that it is causing the deblob script in Gentoo
> to conflict with hardened-sources and fails to build.
> We have been manually patching grsec and removing the blob for our
> distro, but it is a tedious process each time a new release is made.
> I have been looking into a way of automating this so that we always have
> the latest grsec patches, and see two possible solutions.
> 1) Place the blob at the beginning of the grsec patch so that it is
> always at the same line(s) and we can use sed to remove the blob. e.g.
> sed '2,1400d' grsec*.patch
> - This solution will work unless the blob grows or becomes smaller.
> Currently, it is not a good solution since the blob moves periodically
> throughout the file each time there is a new version.
> 2) Provide a version of grsec without the non-free firmware.
> (Since the blob is an updated version of BNX2 firmware, maybe getting
> upstream kernel.org to update their blob would solve the need for it to
> be included in the grsec patch?)
> Any other ideas you could offer are also appreciated.
> Thanks.
> Sincerely,
> Luke
> Packager for Parabola GNU/Linux-libre
> https://parabola.nu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161223/00538615/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: librefix.py
Type: text/x-python
Size: 587 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161223/00538615/attachment.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161223/00538615/attachment.sig>

More information about the Dev mailing list