1 |
On 10/20/15 4:23 AM, Daniel Campbell wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA256 |
4 |
> |
5 |
> On 10/18/2015 06:36 PM, Anthony G. Basile wrote: |
6 |
>> Hi everyone, for your consideration: |
7 |
>> |
8 |
>> Title: Future Support of hardened-sources Kernel Content-Type: |
9 |
>> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 |
10 |
>> Display-If-Installed: sys-kernel/hardened-sources |
11 |
>> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel |
12 |
>> Display-If-Profile: hardened/linux/amd64 Display-If-Profile: |
13 |
>> hardened/linux/amd64/no-multilib Display-If-Profile: |
14 |
>> hardened/linux/amd64/no-multilib/selinux Display-If-Profile: |
15 |
>> hardened/linux/amd64/selinux Display-If-Profile: |
16 |
>> hardened/linux/amd64/x32 Display-If-Profile: |
17 |
>> hardened/linux/arm/armv6j Display-If-Profile: |
18 |
>> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 |
19 |
>> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile: |
20 |
>> hardened/linux/musl/amd64/x32 Display-If-Profile: |
21 |
>> hardened/linux/musl/arm/armv7a Display-If-Profile: |
22 |
>> hardened/linux/musl/mips Display-If-Profile: |
23 |
>> hardened/linux/musl/mips/mipsel Display-If-Profile: |
24 |
>> hardened/linux/musl/ppc Display-If-Profile: |
25 |
>> hardened/linux/musl/x86 Display-If-Profile: |
26 |
>> hardened/linux/powerpc/ppc32 Display-If-Profile: |
27 |
>> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile: |
28 |
>> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile: |
29 |
>> hardened/linux/uclibc/amd64 Display-If-Profile: |
30 |
>> hardened/linux/uclibc/arm/armv7a Display-If-Profile: |
31 |
>> hardened/linux/uclibc/mips Display-If-Profile: |
32 |
>> hardened/linux/uclibc/mips/mipsel Display-If-Profile: |
33 |
>> hardened/linux/uclibc/ppc Display-If-Profile: |
34 |
>> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 |
35 |
>> Display-If-Profile: hardened/linux/x86/selinux |
36 |
>> |
37 |
>> For many years, the Grsecurity team [1] has been supporting two |
38 |
>> versions of their security patches against the Linux kernel, a |
39 |
>> stable and a testing version, and Gentoo has made both of these |
40 |
>> available to our users through the hardened-sources package. |
41 |
>> However, on August 26 of this year, the team announced they would |
42 |
>> no longer be making the stable version publicly available, citing |
43 |
>> trademark infringement by a major embedded systems company as the |
44 |
>> reason. [2] The stable patches are now only available to sponsors |
45 |
>> of Grsecurity and can no longer be distributed in Gentoo. However, |
46 |
>> the team did assure us that they would continue to release and |
47 |
>> support the testing version as they have in the past. |
48 |
>> |
49 |
>> What does this means for users of hardened-sources? Gentoo will |
50 |
>> continue to make the testing version available through our |
51 |
>> hardened-sources package but we will have to drop support for the |
52 |
>> 3.x series. In a few days, those ebuilds will be removed from the |
53 |
>> tree and you will be required to upgrade to a 4.x series kernel. |
54 |
>> Since the hardened-sources package only installs the kernel source |
55 |
>> tree, you can continue using a currently built 3.x series kernel |
56 |
>> but bear in mind that we cannot support you, nor will upstream. |
57 |
>> Also keep in mind that the 4.x series will not be as reliable as |
58 |
>> the 3.x series was, so reporting bugs promptly will be even more |
59 |
>> important. Gentoo will continue to work closely with upstream to |
60 |
>> stay on top of any problems, but be prepared for the occasional |
61 |
>> "bad" kernel. The more reporting we receive from our users, the |
62 |
>> better we will be able to decide which hardened-sources kernels to |
63 |
>> mark stable and which to drop. |
64 |
>> |
65 |
>> Refs. [1] https://grsecurity.net [2] |
66 |
>> https://grsecurity.net/announce.php |
67 |
>> |
68 |
> Looks like a good write-up to me. Concise and clear, with the URL for |
69 |
> those who care enough about the fiasco. |
70 |
> |
71 |
> However, does this mean the hardened kernel package must stay in ~arch |
72 |
> since it's technically the testing version? Or would we keyword it |
73 |
> based on our own findings of stability? |
74 |
> |
75 |
I will continue to mark the best amd64 and x86 versions as stable. |
76 |
|
77 |
|
78 |
-- |
79 |
Anthony G. Basile, Ph.D. |
80 |
Gentoo Linux Developer [Hardened] |
81 |
E-Mail : blueness@g.o |
82 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
83 |
GnuPG ID : F52D4BBA |