Slashdot Mirror
End Of Development For Grsecurity Announced?
vrtk writes "I received this minutes ago, from the grsecurity mailing list, also displayed on the official site for the open-source security project: 'Beginning today, May 31, 2004, development of grsecurity will cease. On
June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while
continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that
depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. I am not looking for paypal
donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be
returning.'"
Sound a lot like material breach of contract with them not coming through with the money. Or else the deliberatly sabatoged it in order to own that dev space.
Too bad! It was only last week that I heard that Grsecurity was so promising and more actively delevoped than, for example, Openwall
Is grsecurity GPL'ed or not? I always thought it was, which just means that the guy's involvement and leadership will be shut off, not those of others... it's a pain when the CVS tree and mailing list archives are gone but usually resuming development from a late snapshot isn't too bad. Maybe others had mirrored the CVS tree?
I think someone should disclose the name of the sponsor that pulled out, not to flame them (well, maybe...) but so that others that might be depending on them get to re-evaluate the economics of their projects. Anyone know who it was?
Unfortunately you are correct and at the same time incorrect.
..).
1. The kernel developers have no real security experience at all. They are also stubborn and have a certain authority that simply does not get challenged. They actually simply refure to see the points in being proactive and fixing security flaws with better architectures - they just want to fix individual tiny flaws.
2. The kernels are developing. Even the "stable" branches. It's FEATURES that are frozen, not implementations. Grsecurity is a lot implementation centric.
3. There is internal politics in the kernel development team (the inferior exec_shield by RedHat, SELinux, kernel security model architecture,
4. Grsecurity's contents will be outdated very fast. Couple small version numbers will make it take someone a bit more knowing to port the pathes. Soon just the theories will remain and most likely in the current athmosphere no one will really pick the project back up on the tracks.
5. Security is a hard thing to measure. Trying to convince pointy haired managers to pay for something that is FREE (hey, it's open source!) is nearly impossible.
6. Grsecurity is the first package to really fix some fundamental security flaws widely in Linux systems. Spender IS a genuine hero. An unknown hero after a while since the mainstream development is so far off from the secure tracks.
Sorry.. But it looks bad. Really like the dark ages for Linux security.
I wonder if the Gentoo Hardened project will continue grsecurity development, they've done a bit of work with it anyways. Gentoo could certainly supply grsecurity with the needed webspace/cvs hosting etc...
I wonder if that option was looked at before spender decided to give up. Does anyone have ideas on why this couldn't be done? Seems fairly simple to me..
I touch computers in naughty places
This, I think is the single-most important problem Open-Source software is facing. Sponsors - Money. Since most of the software is free(both as in free-beer and freedom of speech), financially supporting the developers is a bit difficult. What can be done about this? All the big corporations using the open-software can be forced to pay a nominal amount - by nominal, I mean something very less than what a typical prorietary software owner charges. It should be a one-time nominal amount, with upgrades and patches available free of cost. Will it work? We sure can't afford to lose good software due to the lack of sponsors.
I have used GR Security for quite some time, and its not that great loss.
/tmp race prevention
OpenWall was mentioned, but I preffer LIDS as a replacement to GRSecurity. The itens below where taken from GRSecurity site. All listed features are at LIDS either:
# Change root (chroot) hardening
#
# Extensive auditing
# Prevention of entire classes of exploits related to address space bugs (from the PaX project)
# Additional randomness in the TCP/IP stack
# A restriction that allows a user to only view his/her processes
# Every security alert or audit contains the IP address of the person that caused the event
Besides, LIDS has a clever ACL schema for file protection and a master password, that if an attacker gets root privileges, it could not exploit the machine completly.
It would make it possible (maybe not popular) to license the use of the brand to registered corporations
... and then we'd have a tax on operating systems, just like in the one from Redmond. Why would we bother with it, then? I'd as soon switch to FreeBSD and stick with it. We can't have a double standard.
As for the grsecurity developer, it's unfortunate, but FOSS developers really do need a day-job. I understand him being angry at a sponsor who fell through on a contract, but holding the project hostage isn't really the decent thing to do.
IRC log excerpt for you people. The fact is, there will be NO grsecurity without Spender getting some money. Stop hammering his site. No one else is qualified to really carry on developing the Grsecurity. Maintaining (porting to next slightly modified kernels and stuff) perhaps but not truly keeping the development going.
e r.pdf
;) ;)
Look at also this:
http://grsecurity.net/~spender/researchpap
The guy is a genious. A real gem. He can't be replaced. It's not money or death for the project.
23:55 bleh, i wish a million people weren't doing cvs checkouts right now
23:55 haha
23:55 what i see it, that there will be few projects from it and most of it will die after one month
23:55 i agree
23:55 not to be arrogant or anything
23:55 no, but it is live
23:55 spender : i did it earlier...
23:55 but honestly i don't know of anyone that will take it to what i would have taken it to
23:55 and that's how it works
23:56 maybe because you're the only one that knows the code well
23:56 yes
23:56 well, it could be possible for someone to take it, but without RBAC
23:56 someone else would first need to read all of it a few times
23:56 and the people on slashdot don't get that
23:56 and where do you find someone with such security and kernel internals knowledge?
23:56 i don't think anyone could ever figure out gradm_newlearn.c
23:56 ms: lkml?
23:56 sleight : security?
23:56 lol
There is a truth here that points to the fundamental long-term problem for many free software projects.
/. since when do I need to know anything to have an opinion!), and I feel sorry for the guy whos brainchild this is, we can all learn from this tale of woe.
... everyone I knew who was in a band has gone on to get a 'proper' job - that doesn't mean they have all given up music, just that those who really believed in it are doing other things as well. Those who were only playing at being a rock star gave up years ago.
Whilst I know nothing of grsecurity (but heck this is
Very few of us have the privilege of sponsorship, or the luxury of independant funding (stand up Mr Stallman), and lets face it, most of our projects aren't as essential as the GNU system, the Kernel, XFree or Apache all of whom have some fairly serious backing in one form or another.
So what does this tell us?
It tells me that if you want free software to succeed, then you can't rely on your free software to provide you with an income. You CAN rely on your knowledge and skills as a consultant, or you can get another job, but if you go out there expecting patronage then you are bound to fail - in the same way that expecting to make it big in your garage band is a fairly uncertain way of earning a living
Giving up your pet project because it hasn't paid your way shows the same lack of principle - or maybe it shows that the project didn't have that much importance to the author.
Imagine where we would be if Linus had got bored, and got a proper job at Burger King 'cos his kernel idea was not going anywhere and he needed to eat. I can't imagine he would have given up on it. Why haven't the Hurd team given up yet?
Principle.
But let's remember, principles aren't about cash.
Though it's difficult convincing linus that the linux security api sucks. If grsecurity dies, he'll have essentially little choice, as rsbac will be the only viable option.
As far as willingness to pay goes, I am a thousand times more likely to give money to a programmer that makes something I use and just asks for it, as opposed to nagware or crippleware, which I will either do without or find another alternative for every time.
So far my understanding is that
GRSecurity:
* Fixes the problems in Linux that normally make Linux hard to secure
* Is very kernel version specific (ie, maintenance intensive)
* Easy to use
* Roughly equivilant to, or slightly better than, many other existing hardening 'patches'
The author backs some of this up by saying: "Though grsecurity is licensed under the GPL, I am the sole developer and originator of ideas for the project. Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project."
So - it's either badly designed or grossly incomplete. Or both.
If it is maintenance intensive then the system needs a redesign from the bottom up, or deeper - draw up new specifications keeping in mind the limitations of the system you are modifying.
If it's grossly incomplete then there is little loss to the community. It may have been a great personal loss, but you should never, ever do what this devloper did - float a loan for someone else which they could not personally handle. You don't have to be a business wizard in order to feed yourself.
From Michael Gerber's book "E-Myth Revisited":
Poor businesspeople work "in" the business - they're technicians who daily make the product or service. The business can't succeed without the individual, who may be a genius at providing a product or service but spends every day firefighting.
Brilliant company owners work "on" the business. They build systems, processes, and techniques so the business runs smoothly. These awsome managers don't just solve problems, they invent solutions that eliminate problems forever, or that automatically deal with the issue when it comes up again.(emphasis mine)
If this project requires constant maintenance, or cannot survive without this particular programmer, then it is firmly in the 'poor firefighting technician' category.
Poor guy. I hope he gets on his feet and succesfully finds something that fulfills his need to create. This obviously is not the kind of work he's cut out for, though, and I hope, for his sake, that he chooses not to allow further sponsership of his work on this project.
-Adam
see here for an example of his adolescent attitude.
He is a person sits on exploits so he can release them at opportune times to make his project look good and other projects look bad, rather than taking the correct path: reporting the bugs to the developers so they can be fixed. I.e he is simply a blackhat, pretending to be something he is not. I wouldn't trust my security to someone who behaves like this.OpenBSD provides the same main features as GRsecurity :
- Non-executable stack
- Non-executable heap (W^X)
- mmap() and malloc() randomization
- Source port randomization
- per-user firewall using pf and the "user" directive