Slashdot Mirror
End Of Development For Grsecurity Announced?
vrtk writes "I received this minutes ago, from the grsecurity mailing list, also displayed on the official site for the open-source security project: 'Beginning today, May 31, 2004, development of grsecurity will cease. On
June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while
continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that
depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. I am not looking for paypal
donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be
returning.'"
I also submitted this story (rejected) and provided various informational links on this issue:
i nuxCaseStudy.pdf
l
t y.xml
For a comparison between Grsecurity and SELinux:
http://www.cs.virginia.edu/~jcg8f/GrsecuritySEL
They also document and explain many of the issues facing the LSM project as well:
http://www.grsecurity.org/lsm.php
It will be interesting to see how the Gentoo Hardened Project will respond to this as well as they have done a great deal of work with grsecurity and provided some exceptional Grsecurity documentation (for the 1.9.x series).
http://www.gentoo.org/proj/en/hardened/index.xm
http://www.gentoo.org/proj/en/hardened/grsecuri
It will be sad to see this project fade away, especially for those needing an expressive security RBAC/MAC/PAX system. Grsecurity, combined with PAX, provided a well rounded security system that was sensible, somewhat easy to learn, and easier to administrate thanks to the powerful gradm Learning capability.
the sort of bastards that make $2500/hour being driven to country clubs to shake hands and joke about 'damned hippies'.
"What, we don't need to pay him?"
"Heh, yeah. Damn fool fell for that Open Source crap. He gets what he deserves."
"Well, Damn Dirty Hippies, etc. Oh, and pass the caviar."
how can it cease to exist? isnt open source software forever? (well in some form or another) it may not be regularly updated (or updated at all by the looks of the article) but could still prove useful in the future...
Since the developers went and got all selfish about things like 'eating' and 'clothes'?
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
Karma: -2147483648 (Mostly affected by integer overflow)
I think someone should disclose the name of the sponsor that pulled out, not to flame them (well, maybe...) but so that others that might be depending on them get to re-evaluate the economics of their projects. Anyone know who it was?
Unfortunately you are correct and at the same time incorrect.
..).
1. The kernel developers have no real security experience at all. They are also stubborn and have a certain authority that simply does not get challenged. They actually simply refure to see the points in being proactive and fixing security flaws with better architectures - they just want to fix individual tiny flaws.
2. The kernels are developing. Even the "stable" branches. It's FEATURES that are frozen, not implementations. Grsecurity is a lot implementation centric.
3. There is internal politics in the kernel development team (the inferior exec_shield by RedHat, SELinux, kernel security model architecture,
4. Grsecurity's contents will be outdated very fast. Couple small version numbers will make it take someone a bit more knowing to port the pathes. Soon just the theories will remain and most likely in the current athmosphere no one will really pick the project back up on the tracks.
5. Security is a hard thing to measure. Trying to convince pointy haired managers to pay for something that is FREE (hey, it's open source!) is nearly impossible.
6. Grsecurity is the first package to really fix some fundamental security flaws widely in Linux systems. Spender IS a genuine hero. An unknown hero after a while since the mainstream development is so far off from the secure tracks.
Sorry.. But it looks bad. Really like the dark ages for Linux security.
I wonder if the Gentoo Hardened project will continue grsecurity development, they've done a bit of work with it anyways. Gentoo could certainly supply grsecurity with the needed webspace/cvs hosting etc...
I wonder if that option was looked at before spender decided to give up. Does anyone have ideas on why this couldn't be done? Seems fairly simple to me..
I touch computers in naughty places
Apparently you have not learned all the steps of OSS development.
You have successfully completed two stages:
1. Develop free software.
2. Run out of money.
And you quit at this point forgetting about the third step.
3. Launch a massive copyright-infringement patent-violation lawsuit against IBM and pay lawyers with stock.
For those who don't know, grsecurity is a security oriented patch for the Linux kernel. It provides mandatory access controls, strengthens the chroot system call, adds /proc and filesystem protections, allows for kernel level auditing of almost everything, and includes the PaX patch to provide non-executable memory pages and address space layout randomization.
The MAC part, called RBAC for Role Based Access Controls, is very well done and the best I've seen. Configuration is very easy through a flat file interface. The system enforces that you have certain intelligent configurations set so you can't make simple mistakes destroying your security. It has a learning mode which will automatically give a least access ruleset for the whole system. Amazingly it actually works quite well. Also the learning mode can be turned on for individual roles or subjects making it easy to add a new program to a system with RBAC already running.
In my opinion grsecurity was the best hope for real security on linux for most people as it provides a comprehensive solution, is easy to set up, and it well engineered.
Sorry to say this, but I feel that sponsorship is ultimately not a good way to run an OSS project.
:-)
If you rely on sponsorships, you have to expect this kind of thing to happen. It does. All the time.
If there are businesses which are using your software, then there should be a market for you in consulting. Consulting is a proven business model for OSS development. (Not that it is much more of a guarantee, but at least you have a contract.)
Not to mention that many big businesses view consulting and sponsorship as two very, very different things. It has to do with bookmaking. Money paid as consulting makes it more evident that you are providing a service than money marked down as 'sponsorship'.
Now, if your project is not commercially interesting, and you still want to get paid for doing it, perhaps you should be looking for a research position instead, if it's innovative enough.
And if it's not innovative nor commercially interesting.. Well then it's a hobby, goddamnit!
Not only does he run out of money, he gets a slashdotting too. :(
Sorry, but that's not how OSS development gets funded; you can't just put up some software on a web site and wait for donations.
Grsecurity looks like something you might be able to fund as part of a security consulting business. Or, if dealing with people is not your thing, you might be able to make a living writing books about security and how to use grsecurity. Or you might be able to do it on the side while working for a large company.
If grsecurity is as useful as you think, if there was a lively community around it, and if the code is usable, there is a good chance someone else will pick it up and actually build a successful business around it. If nobody continues development of grsecurity at this point, then it wasn't really a good, live open source project anyway--it was just some useful code released under the GPL.
Please don't complain about it: while your desire to create open source software is admirable, it is still your problem if you fail because you picked a naive business model.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
Here, I'll fix it. Your post with clickable links:
You might want to use HTML next time. Or you might not.Show me on the doll where his noodly appendage touched you.
What amazes me is that it's automagically assumed that a code-cutter also has business sense to run a successful business.
:[
:(
Remember at the end of the day he's a code-cutter... not a suit... if he was a suit.. he wouldn't be a code-cutter now would he!
I must admit as a code-cutter I'm sick of many businesses idea of 'yeah... lets' get it under the GPL... we can use, abuse and not pay for it'.
Bad Karma to this idea of thinking...
These fat-cats still drive home to a nice warm bed, big meal and watch their TV.
How about flipping some $$'s towards the smuck that did all your hard work and ensure he's still around next year when you have a real question abuot the software.
At the end of the day... nothing is FREE... someone pays... unfortunately with a lot of GPL.. it's normally the developer and his family.
Security focus provided the following good explanation:
"...Grsecurity is a suite of patches (distributed as a single patch file) for the Linux kernel that are an attempt to improve the security of a Linux system. Grsecurity is based on a port of some previous patches for the Linux 2.2 kernel, including Openwall and PaX, which have never been ported to the 2.4 kernel. Grsecurity provides some updates to these patches and has been ported to the Linux 2.4 kernel..." continue reading SecurityFocus's review.
It's almost blackmail. "Support me else I shut it down."
That's hardly in the spirit of Free Software.
Since when is the spirit of Free Software doing work that benefits others and expecting nothing in return? What any given author expects in return may vary, but expecting money isn't out of line. The author presumably has expenses related to the project and is well within his rights to state that he will not continue development if he can't find someone to offset those expenses.
Remember, though, that since the project is GPL'd, there's nothing stopping you or anyone else from downloading the source & taking over the maintenance & development for him. That's the spirit of open source.
I don't think anyone "in free software" thinks development has no cost. I think they are keenly aware what the cost is - usually their time.
It's only a few idiots who equate Free with free.
However I think your charaterisation of open source development is either naive or trollish.
Yours Sincerely, Michael.
No, Brad Spender is an arrogant fucktard who cared more about screwing over people who disagreed with him (for example, he tried to deliberately withold information on a RedHat security flaw until after Fedora Core 2 was released, just to bring them around to his way of thinking) than fixing things.
I read the 'comparative to LSM/SEL' links posted above, they are hardly complete, and while they may be arguably correct pont for point I couldn't agree with them.
If GRSEC is so good why have I never heard of any fully developed policy models? SE-Linux can run pretty much out of the box on a fully-featured server. I've run it without undue difficulty on 3 different distributions.
Spender and the RSBAC people both like to get up and say tbat LSM is no good. Lots of reasons are given e.g. "it doesn't provide full Bell-LaPadula security assurance" or "parts are patented".
I would counter:
Both grsec and rsbac are piecemeal solutions, pretty much a hodgepodge of admittedly good ideas patching the kernel to implement 'security'. By comparison LSM/SEL are integrated into the mainline kernel now, and the chosen perimiter is a pretty good one for practically improving Unix (Linux) security issues.
The 'Bell-La Padula' argument basically is complaining that SEL isn't setup for MLS (Multi-level-secure) so it must be no fscking good (TM). This of course is neglecting that the *target* audience for MLS computing (CIA, NSA, DOD ...) have given up on it, my understading is that most MLS implementations have been replaced with air-gapped systems to deal with the levels.
Now if the intended users if MLS (class B and A TCSEC evaluated systems) who have very deep pockets indeed have scrapped them who the hell are the targetted users?
As an amusing side story the founder of a distribution based on RSBAC not only had no idea about this when he started the project, he also had no idea what MLS was and had never read word one of the TCSEC. And when he did he was suddenly wondering how to get evaluated (for a certification that's no longer even available).
So basically I think Spender is interested in being *right*, not interested in doing collaborative work and when something better (in the sense of *practical and useful* came along he had little more to do than poke technical holes in it.
So I'm not in the least surprised that he's losing his funding. LSM/SEL is available, works now and is cost-effective to actually use on production servers.
It's the easiest thing in the world to point out that someone else's system design is not perfectly secure. However practical security is more a matter of practice and process than design anyway. And in the final analysis if you're not willing to make something that actually works (and to work with others to achieve that) then you're gonna have a hard time finding customers.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD