| 1 |
On 10/20/15 4:23 AM, Daniel Campbell wrote: |
| 2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 3 |
> Hash: SHA256 |
| 4 |
> |
| 5 |
> On 10/18/2015 06:36 PM, Anthony G. Basile wrote: |
| 6 |
>> Hi everyone, for your consideration: |
| 7 |
>> |
| 8 |
>> Title: Future Support of hardened-sources Kernel Content-Type: |
| 9 |
>> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 |
| 10 |
>> Display-If-Installed: sys-kernel/hardened-sources |
| 11 |
>> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel |
| 12 |
>> Display-If-Profile: hardened/linux/amd64 Display-If-Profile: |
| 13 |
>> hardened/linux/amd64/no-multilib Display-If-Profile: |
| 14 |
>> hardened/linux/amd64/no-multilib/selinux Display-If-Profile: |
| 15 |
>> hardened/linux/amd64/selinux Display-If-Profile: |
| 16 |
>> hardened/linux/amd64/x32 Display-If-Profile: |
| 17 |
>> hardened/linux/arm/armv6j Display-If-Profile: |
| 18 |
>> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 |
| 19 |
>> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile: |
| 20 |
>> hardened/linux/musl/amd64/x32 Display-If-Profile: |
| 21 |
>> hardened/linux/musl/arm/armv7a Display-If-Profile: |
| 22 |
>> hardened/linux/musl/mips Display-If-Profile: |
| 23 |
>> hardened/linux/musl/mips/mipsel Display-If-Profile: |
| 24 |
>> hardened/linux/musl/ppc Display-If-Profile: |
| 25 |
>> hardened/linux/musl/x86 Display-If-Profile: |
| 26 |
>> hardened/linux/powerpc/ppc32 Display-If-Profile: |
| 27 |
>> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile: |
| 28 |
>> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile: |
| 29 |
>> hardened/linux/uclibc/amd64 Display-If-Profile: |
| 30 |
>> hardened/linux/uclibc/arm/armv7a Display-If-Profile: |
| 31 |
>> hardened/linux/uclibc/mips Display-If-Profile: |
| 32 |
>> hardened/linux/uclibc/mips/mipsel Display-If-Profile: |
| 33 |
>> hardened/linux/uclibc/ppc Display-If-Profile: |
| 34 |
>> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 |
| 35 |
>> Display-If-Profile: hardened/linux/x86/selinux |
| 36 |
>> |
| 37 |
>> For many years, the Grsecurity team [1] has been supporting two |
| 38 |
>> versions of their security patches against the Linux kernel, a |
| 39 |
>> stable and a testing version, and Gentoo has made both of these |
| 40 |
>> available to our users through the hardened-sources package. |
| 41 |
>> However, on August 26 of this year, the team announced they would |
| 42 |
>> no longer be making the stable version publicly available, citing |
| 43 |
>> trademark infringement by a major embedded systems company as the |
| 44 |
>> reason. [2] The stable patches are now only available to sponsors |
| 45 |
>> of Grsecurity and can no longer be distributed in Gentoo. However, |
| 46 |
>> the team did assure us that they would continue to release and |
| 47 |
>> support the testing version as they have in the past. |
| 48 |
>> |
| 49 |
>> What does this means for users of hardened-sources? Gentoo will |
| 50 |
>> continue to make the testing version available through our |
| 51 |
>> hardened-sources package but we will have to drop support for the |
| 52 |
>> 3.x series. In a few days, those ebuilds will be removed from the |
| 53 |
>> tree and you will be required to upgrade to a 4.x series kernel. |
| 54 |
>> Since the hardened-sources package only installs the kernel source |
| 55 |
>> tree, you can continue using a currently built 3.x series kernel |
| 56 |
>> but bear in mind that we cannot support you, nor will upstream. |
| 57 |
>> Also keep in mind that the 4.x series will not be as reliable as |
| 58 |
>> the 3.x series was, so reporting bugs promptly will be even more |
| 59 |
>> important. Gentoo will continue to work closely with upstream to |
| 60 |
>> stay on top of any problems, but be prepared for the occasional |
| 61 |
>> "bad" kernel. The more reporting we receive from our users, the |
| 62 |
>> better we will be able to decide which hardened-sources kernels to |
| 63 |
>> mark stable and which to drop. |
| 64 |
>> |
| 65 |
>> Refs. [1] https://grsecurity.net [2] |
| 66 |
>> https://grsecurity.net/announce.php |
| 67 |
>> |
| 68 |
> Looks like a good write-up to me. Concise and clear, with the URL for |
| 69 |
> those who care enough about the fiasco. |
| 70 |
> |
| 71 |
> However, does this mean the hardened kernel package must stay in ~arch |
| 72 |
> since it's technically the testing version? Or would we keyword it |
| 73 |
> based on our own findings of stability? |
| 74 |
> |
| 75 |
I will continue to mark the best amd64 and x86 versions as stable. |
| 76 |
|
| 77 |
|
| 78 |
-- |
| 79 |
Anthony G. Basile, Ph.D. |
| 80 |
Gentoo Linux Developer [Hardened] |
| 81 |
E-Mail : blueness@g.o |
| 82 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 83 |
GnuPG ID : F52D4BBA |
Archives