1 |
On 19/04/2010 20:45, David Sommerseth wrote: |
2 |
|
3 |
[snip] |
4 |
|
5 |
> Yes, you are right. But still ... it's now closer to one year *without* |
6 |
> any updates for the stable kernel. Which means, compiling the latest |
7 |
> upstream 2.6.33.2 kernel might be a lot safer, than the 2.6.28-r9 which |
8 |
> is marked stable now. |
9 |
> |
10 |
> As a comparison, Red Hat comes regularly with security fixes to their |
11 |
> kernels, some RHEL based kernels almost have an update with security |
12 |
> fixes every month. Of course you can blame it on the amount of |
13 |
> resources and equipment available for testing. On the other hand RHEL |
14 |
> do backport patches from newer kernels to older kernels (to maintain |
15 |
> certifications) with (mostly) security fixes. That do take a lot of |
16 |
> manpower to manage. Anyhow, being able to release a new kernel for a |
17 |
> "stable marked" as RHEL aims at, containing security fixes, tells |
18 |
> something about the amount of vulnerabilities found in the kernel. |
19 |
> |
20 |
> But, the hardened-sources really touches the nerve now in regards to |
21 |
> what I feel is safe. The PaX patches do provide some extra security |
22 |
> which not many else have. But still ... I am not as confident with |
23 |
> Hardened Gentoo as I once was. I honestly think that the hardened |
24 |
> sources now are more vulnerable than gentoo-sources, just because of the |
25 |
> age of the kernel. Granted, gentoo-sources do not have the PaX patch |
26 |
> set, but it is still fresher with more CVE and other security fixes than |
27 |
> what the current stable hardened-sources do have. |
28 |
> |
29 |
> Fair enough, the Gentoo portage kernels do add some fixes which is not |
30 |
> in upstream yet ... but that's only valid when the kernel is not as old |
31 |
> as this one. |
32 |
> |
33 |
> I have no problem accepting if the Hardened team withdraws the current |
34 |
> hardened-sources. It will most probably create a lot more noise for |
35 |
> some time. But the current situation is unsustainable, in my honest |
36 |
> opinion. In fact, it would be a more honest approach if the Hardened |
37 |
> team withdraw the sources - giving advises to which stable kernel to run |
38 |
> instead or which approach to take to get a better solution. |
39 |
> |
40 |
> The only reason I do not switch kernel yet (or distro), is that I still |
41 |
> have a hope that a newer kernel is just around the corner. But my hope |
42 |
> is fading... and lately faster than earlier. |
43 |
> |
44 |
|
45 |
+1 insightful. I wholeheartedly concur. |
46 |
|
47 |
Cheers, |
48 |
|
49 |
--Kerin |