1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 10/18/2015 06:36 PM, Anthony G. Basile wrote: |
5 |
> Hi everyone, for your consideration: |
6 |
> |
7 |
> Title: Future Support of hardened-sources Kernel Content-Type: |
8 |
> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 |
9 |
> Display-If-Installed: sys-kernel/hardened-sources |
10 |
> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel |
11 |
> Display-If-Profile: hardened/linux/amd64 Display-If-Profile: |
12 |
> hardened/linux/amd64/no-multilib Display-If-Profile: |
13 |
> hardened/linux/amd64/no-multilib/selinux Display-If-Profile: |
14 |
> hardened/linux/amd64/selinux Display-If-Profile: |
15 |
> hardened/linux/amd64/x32 Display-If-Profile: |
16 |
> hardened/linux/arm/armv6j Display-If-Profile: |
17 |
> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 |
18 |
> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile: |
19 |
> hardened/linux/musl/amd64/x32 Display-If-Profile: |
20 |
> hardened/linux/musl/arm/armv7a Display-If-Profile: |
21 |
> hardened/linux/musl/mips Display-If-Profile: |
22 |
> hardened/linux/musl/mips/mipsel Display-If-Profile: |
23 |
> hardened/linux/musl/ppc Display-If-Profile: |
24 |
> hardened/linux/musl/x86 Display-If-Profile: |
25 |
> hardened/linux/powerpc/ppc32 Display-If-Profile: |
26 |
> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile: |
27 |
> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile: |
28 |
> hardened/linux/uclibc/amd64 Display-If-Profile: |
29 |
> hardened/linux/uclibc/arm/armv7a Display-If-Profile: |
30 |
> hardened/linux/uclibc/mips Display-If-Profile: |
31 |
> hardened/linux/uclibc/mips/mipsel Display-If-Profile: |
32 |
> hardened/linux/uclibc/ppc Display-If-Profile: |
33 |
> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 |
34 |
> Display-If-Profile: hardened/linux/x86/selinux |
35 |
> |
36 |
> For many years, the Grsecurity team [1] has been supporting two |
37 |
> versions of their security patches against the Linux kernel, a |
38 |
> stable and a testing version, and Gentoo has made both of these |
39 |
> available to our users through the hardened-sources package. |
40 |
> However, on August 26 of this year, the team announced they would |
41 |
> no longer be making the stable version publicly available, citing |
42 |
> trademark infringement by a major embedded systems company as the |
43 |
> reason. [2] The stable patches are now only available to sponsors |
44 |
> of Grsecurity and can no longer be distributed in Gentoo. However, |
45 |
> the team did assure us that they would continue to release and |
46 |
> support the testing version as they have in the past. |
47 |
> |
48 |
> What does this means for users of hardened-sources? Gentoo will |
49 |
> continue to make the testing version available through our |
50 |
> hardened-sources package but we will have to drop support for the |
51 |
> 3.x series. In a few days, those ebuilds will be removed from the |
52 |
> tree and you will be required to upgrade to a 4.x series kernel. |
53 |
> Since the hardened-sources package only installs the kernel source |
54 |
> tree, you can continue using a currently built 3.x series kernel |
55 |
> but bear in mind that we cannot support you, nor will upstream. |
56 |
> Also keep in mind that the 4.x series will not be as reliable as |
57 |
> the 3.x series was, so reporting bugs promptly will be even more |
58 |
> important. Gentoo will continue to work closely with upstream to |
59 |
> stay on top of any problems, but be prepared for the occasional |
60 |
> "bad" kernel. The more reporting we receive from our users, the |
61 |
> better we will be able to decide which hardened-sources kernels to |
62 |
> mark stable and which to drop. |
63 |
> |
64 |
> Refs. [1] https://grsecurity.net [2] |
65 |
> https://grsecurity.net/announce.php |
66 |
> |
67 |
|
68 |
Looks like a good write-up to me. Concise and clear, with the URL for |
69 |
those who care enough about the fiasco. |
70 |
|
71 |
However, does this mean the hardened kernel package must stay in ~arch |
72 |
since it's technically the testing version? Or would we keyword it |
73 |
based on our own findings of stability? |
74 |
|
75 |
- -- |
76 |
Daniel Campbell - Gentoo Developer |
77 |
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net |
78 |
fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 |
79 |
-----BEGIN PGP SIGNATURE----- |
80 |
Version: GnuPG v2 |
81 |
|
82 |
iQIcBAEBCAAGBQJWJfnzAAoJEAEkDpRQOeFwr/4QAM7tug2y/HtbXtBGbIzAiDQ9 |
83 |
nDHBxIvuSl949oojTxl+x0GqkskOu77VIj1baCXmoxO2sOwCZfwksdDFjU7cPrNr |
84 |
vjoIxBmefgz6FBeJxJaVMiMPVR7MC+ZHcLmBoP6LShmBPpEchY0kf2+JQmaWydU4 |
85 |
bDHmVxA+H0fNhUuXxGdD4xMvvSZShWm3uGnSZy1D9llJ587xHO9XlEkQdbiypGuC |
86 |
S8g1gJw96Vtynmy90shrTYrYkKdOxMUyV4HX7Wsb88IT3dURDFGXSuhy9/B2jLt0 |
87 |
3LmMiOeLzblIqiqxOxuhre+yB6mA9mkcTjG/M1nKKd1fHS4/l48clvVLpEMZRUSl |
88 |
oE0Ex2+eU/u4YjrDdRCErhhh4RvDkNOW43+1wblhCUoTd9WcpHc/74KdvI4oPgu4 |
89 |
Xe7HeVE7Xo/FT21kZvhuw4VRkerKAT+KITNCtRcp5mfXp4dnr4UonE+Vd39Ul4/v |
90 |
e2bkZKHbJI+uq4VBFNXnBKp7Pw/RewGm3PpkU8YrRQwI/AS1kHirP+/aWhnx2uHV |
91 |
WLJxBXw/kBNNKwGANPJQ2/ip4CXUILbJzTnmLxvlYt+61DE/K3CNlN4lPbidK/xR |
92 |
SU55y8COMFdDAtWUzEUXldh340Ob5KWRk00v0O+oarqj1oVfACsM44lWSYrNAZQs |
93 |
8EkcfKsY6lmHbsr9B5I1 |
94 |
=2Z3x |
95 |
-----END PGP SIGNATURE----- |