| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 10/18/2015 06:36 PM, Anthony G. Basile wrote: |
| 5 |
> Hi everyone, for your consideration: |
| 6 |
> |
| 7 |
> Title: Future Support of hardened-sources Kernel Content-Type: |
| 8 |
> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 |
| 9 |
> Display-If-Installed: sys-kernel/hardened-sources |
| 10 |
> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel |
| 11 |
> Display-If-Profile: hardened/linux/amd64 Display-If-Profile: |
| 12 |
> hardened/linux/amd64/no-multilib Display-If-Profile: |
| 13 |
> hardened/linux/amd64/no-multilib/selinux Display-If-Profile: |
| 14 |
> hardened/linux/amd64/selinux Display-If-Profile: |
| 15 |
> hardened/linux/amd64/x32 Display-If-Profile: |
| 16 |
> hardened/linux/arm/armv6j Display-If-Profile: |
| 17 |
> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 |
| 18 |
> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile: |
| 19 |
> hardened/linux/musl/amd64/x32 Display-If-Profile: |
| 20 |
> hardened/linux/musl/arm/armv7a Display-If-Profile: |
| 21 |
> hardened/linux/musl/mips Display-If-Profile: |
| 22 |
> hardened/linux/musl/mips/mipsel Display-If-Profile: |
| 23 |
> hardened/linux/musl/ppc Display-If-Profile: |
| 24 |
> hardened/linux/musl/x86 Display-If-Profile: |
| 25 |
> hardened/linux/powerpc/ppc32 Display-If-Profile: |
| 26 |
> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile: |
| 27 |
> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile: |
| 28 |
> hardened/linux/uclibc/amd64 Display-If-Profile: |
| 29 |
> hardened/linux/uclibc/arm/armv7a Display-If-Profile: |
| 30 |
> hardened/linux/uclibc/mips Display-If-Profile: |
| 31 |
> hardened/linux/uclibc/mips/mipsel Display-If-Profile: |
| 32 |
> hardened/linux/uclibc/ppc Display-If-Profile: |
| 33 |
> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 |
| 34 |
> Display-If-Profile: hardened/linux/x86/selinux |
| 35 |
> |
| 36 |
> For many years, the Grsecurity team [1] has been supporting two |
| 37 |
> versions of their security patches against the Linux kernel, a |
| 38 |
> stable and a testing version, and Gentoo has made both of these |
| 39 |
> available to our users through the hardened-sources package. |
| 40 |
> However, on August 26 of this year, the team announced they would |
| 41 |
> no longer be making the stable version publicly available, citing |
| 42 |
> trademark infringement by a major embedded systems company as the |
| 43 |
> reason. [2] The stable patches are now only available to sponsors |
| 44 |
> of Grsecurity and can no longer be distributed in Gentoo. However, |
| 45 |
> the team did assure us that they would continue to release and |
| 46 |
> support the testing version as they have in the past. |
| 47 |
> |
| 48 |
> What does this means for users of hardened-sources? Gentoo will |
| 49 |
> continue to make the testing version available through our |
| 50 |
> hardened-sources package but we will have to drop support for the |
| 51 |
> 3.x series. In a few days, those ebuilds will be removed from the |
| 52 |
> tree and you will be required to upgrade to a 4.x series kernel. |
| 53 |
> Since the hardened-sources package only installs the kernel source |
| 54 |
> tree, you can continue using a currently built 3.x series kernel |
| 55 |
> but bear in mind that we cannot support you, nor will upstream. |
| 56 |
> Also keep in mind that the 4.x series will not be as reliable as |
| 57 |
> the 3.x series was, so reporting bugs promptly will be even more |
| 58 |
> important. Gentoo will continue to work closely with upstream to |
| 59 |
> stay on top of any problems, but be prepared for the occasional |
| 60 |
> "bad" kernel. The more reporting we receive from our users, the |
| 61 |
> better we will be able to decide which hardened-sources kernels to |
| 62 |
> mark stable and which to drop. |
| 63 |
> |
| 64 |
> Refs. [1] https://grsecurity.net [2] |
| 65 |
> https://grsecurity.net/announce.php |
| 66 |
> |
| 67 |
|
| 68 |
Looks like a good write-up to me. Concise and clear, with the URL for |
| 69 |
those who care enough about the fiasco. |
| 70 |
|
| 71 |
However, does this mean the hardened kernel package must stay in ~arch |
| 72 |
since it's technically the testing version? Or would we keyword it |
| 73 |
based on our own findings of stability? |
| 74 |
|
| 75 |
- -- |
| 76 |
Daniel Campbell - Gentoo Developer |
| 77 |
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net |
| 78 |
fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 |
| 79 |
-----BEGIN PGP SIGNATURE----- |
| 80 |
Version: GnuPG v2 |
| 81 |
|
| 82 |
iQIcBAEBCAAGBQJWJfnzAAoJEAEkDpRQOeFwr/4QAM7tug2y/HtbXtBGbIzAiDQ9 |
| 83 |
nDHBxIvuSl949oojTxl+x0GqkskOu77VIj1baCXmoxO2sOwCZfwksdDFjU7cPrNr |
| 84 |
vjoIxBmefgz6FBeJxJaVMiMPVR7MC+ZHcLmBoP6LShmBPpEchY0kf2+JQmaWydU4 |
| 85 |
bDHmVxA+H0fNhUuXxGdD4xMvvSZShWm3uGnSZy1D9llJ587xHO9XlEkQdbiypGuC |
| 86 |
S8g1gJw96Vtynmy90shrTYrYkKdOxMUyV4HX7Wsb88IT3dURDFGXSuhy9/B2jLt0 |
| 87 |
3LmMiOeLzblIqiqxOxuhre+yB6mA9mkcTjG/M1nKKd1fHS4/l48clvVLpEMZRUSl |
| 88 |
oE0Ex2+eU/u4YjrDdRCErhhh4RvDkNOW43+1wblhCUoTd9WcpHc/74KdvI4oPgu4 |
| 89 |
Xe7HeVE7Xo/FT21kZvhuw4VRkerKAT+KITNCtRcp5mfXp4dnr4UonE+Vd39Ul4/v |
| 90 |
e2bkZKHbJI+uq4VBFNXnBKp7Pw/RewGm3PpkU8YrRQwI/AS1kHirP+/aWhnx2uHV |
| 91 |
WLJxBXw/kBNNKwGANPJQ2/ip4CXUILbJzTnmLxvlYt+61DE/K3CNlN4lPbidK/xR |
| 92 |
SU55y8COMFdDAtWUzEUXldh340Ob5KWRk00v0O+oarqj1oVfACsM44lWSYrNAZQs |
| 93 |
8EkcfKsY6lmHbsr9B5I1 |
| 94 |
=2Z3x |
| 95 |
-----END PGP SIGNATURE----- |
Archives