[Dev] Fwd: Re: Grsec and Linux-libre
Luke
g4jc at openmailbox.org
Fri Dec 23 02:33:25 GMT 2016
FYI, Brad was kind enough to provide an automated removal tool for
applying grsec-libre patches.
Syntax is:
python2 librefix.py grsecurity-*.patch
Thank you Brad and Merry Christmas! :)
-------- Forwarded Message --------
Subject: Re: Grsec and Linux-libre
Date: Wed, 21 Dec 2016 22:01:22 -0500
From: Brad Spengler <spender at grsecurity.net>
To: Luke <g4jc at openmailbox.org>
Hi Luke,
Why not just the Python unidiff.PatchSet ? It's trivial to remove
specific files from a diff that way. Attached is a script that will do
it.
-Brad
On Thu, Dec 22, 2016 at 02:37:57AM +0000, Luke wrote:
> Hello Brad,
> We are still using grsec for our infrastructure at Parabola
> GNU/Linux-libre, and it is an essential part of our distribution.
> Thank you for continuing to offer the test patches for free.
>
> However, over the past year(?) or so a non-free firmware blob was added
> to grsec.
> This causes grsec patch to fail when ran against the linux-libre kernel.
> ( http://www.fsfla.org/ikiwiki/selibre/linux-libre/ )
> I have also heard report that it is causing the deblob script in Gentoo
> to conflict with hardened-sources and fails to build.
>
> We have been manually patching grsec and removing the blob for our
> distro, but it is a tedious process each time a new release is made.
>
> I have been looking into a way of automating this so that we always have
> the latest grsec patches, and see two possible solutions.
>
> 1) Place the blob at the beginning of the grsec patch so that it is
> always at the same line(s) and we can use sed to remove the blob. e.g.
> sed '2,1400d' grsec*.patch
> - This solution will work unless the blob grows or becomes smaller.
> Currently, it is not a good solution since the blob moves periodically
> throughout the file each time there is a new version.
>
> 2) Provide a version of grsec without the non-free firmware.
> (Since the blob is an updated version of BNX2 firmware, maybe getting
> upstream kernel.org to update their blob would solve the need for it to
> be included in the grsec patch?)
>
> Any other ideas you could offer are also appreciated.
>
>
> Thanks.
>
> Sincerely,
> Luke
> Packager for Parabola GNU/Linux-libre
> https://parabola.nu
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161223/00538615/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: librefix.py
Type: text/x-python
Size: 587 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161223/00538615/attachment.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161223/00538615/attachment.sig>
More information about the Dev
mailing list