Maintaining the Unmaintainable: Picking up the Baton of a Secure Kernel Patchset
The world of kernel security forever changed on April 26th 2017, when Open Source Security Inc published a press release announcing that they are no longer making their grsecurity kernel patchset available to the public, and that they are "handing over future maintenance of grsecurity test patches to the community". Citing their wishes for newcomers to experiment with new ideas, and that the future will be shaped by the next generation, they challenged the world to continue maintenance on grsecurity themselves. Left with little more than the previous patch to 4.9.24, and the knowledge that 4.9 will receive back ported fixes from upstream for two years, it was clear that there were large shoes to fill. At the time, I was building my distro, Dapper Linux, and one of its key value propositions is running a grsec kernel out of the box. Feeling left high and dry, and unwilling to give up on the technological advancements that the patchset provides, I decided to learn kernel development, and attempt to maintain the patchset as a complete kernel newbie. In this talk, we will have a look at the internals of the patchset, and what features are provided, slightly touch on the politics surrounding the patchset (and epic flamewars on the kernel-hardening list). We will also see what I have done to keep the patchset alive, and my attempts to forward port the patchset to newer major kernel versions, as well as the typical maintenance for 4.9 LTS. We will also see how a kernel newbie became the sole maintainer of the patchset in its entirety, and the roadblocks that have arisen that have caused far more experienced developers to give up. Finally, we will talk about what the future holds, once support for 4.9 LTS ends in Jan 2020.