| 1 |
On 19/04/2010 20:45, David Sommerseth wrote: |
| 2 |
|
| 3 |
[snip] |
| 4 |
|
| 5 |
> Yes, you are right. But still ... it's now closer to one year *without* |
| 6 |
> any updates for the stable kernel. Which means, compiling the latest |
| 7 |
> upstream 2.6.33.2 kernel might be a lot safer, than the 2.6.28-r9 which |
| 8 |
> is marked stable now. |
| 9 |
> |
| 10 |
> As a comparison, Red Hat comes regularly with security fixes to their |
| 11 |
> kernels, some RHEL based kernels almost have an update with security |
| 12 |
> fixes every month. Of course you can blame it on the amount of |
| 13 |
> resources and equipment available for testing. On the other hand RHEL |
| 14 |
> do backport patches from newer kernels to older kernels (to maintain |
| 15 |
> certifications) with (mostly) security fixes. That do take a lot of |
| 16 |
> manpower to manage. Anyhow, being able to release a new kernel for a |
| 17 |
> "stable marked" as RHEL aims at, containing security fixes, tells |
| 18 |
> something about the amount of vulnerabilities found in the kernel. |
| 19 |
> |
| 20 |
> But, the hardened-sources really touches the nerve now in regards to |
| 21 |
> what I feel is safe. The PaX patches do provide some extra security |
| 22 |
> which not many else have. But still ... I am not as confident with |
| 23 |
> Hardened Gentoo as I once was. I honestly think that the hardened |
| 24 |
> sources now are more vulnerable than gentoo-sources, just because of the |
| 25 |
> age of the kernel. Granted, gentoo-sources do not have the PaX patch |
| 26 |
> set, but it is still fresher with more CVE and other security fixes than |
| 27 |
> what the current stable hardened-sources do have. |
| 28 |
> |
| 29 |
> Fair enough, the Gentoo portage kernels do add some fixes which is not |
| 30 |
> in upstream yet ... but that's only valid when the kernel is not as old |
| 31 |
> as this one. |
| 32 |
> |
| 33 |
> I have no problem accepting if the Hardened team withdraws the current |
| 34 |
> hardened-sources. It will most probably create a lot more noise for |
| 35 |
> some time. But the current situation is unsustainable, in my honest |
| 36 |
> opinion. In fact, it would be a more honest approach if the Hardened |
| 37 |
> team withdraw the sources - giving advises to which stable kernel to run |
| 38 |
> instead or which approach to take to get a better solution. |
| 39 |
> |
| 40 |
> The only reason I do not switch kernel yet (or distro), is that I still |
| 41 |
> have a hope that a newer kernel is just around the corner. But my hope |
| 42 |
> is fading... and lately faster than earlier. |
| 43 |
> |
| 44 |
|
| 45 |
+1 insightful. I wholeheartedly concur. |
| 46 |
|
| 47 |
Cheers, |
| 48 |
|
| 49 |
--Kerin |
Archives