Gentoo Archives: gentoo-hardened

From: klondike <franxisco1988@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] kudos to hardened-sources
Date: Wed, 25 Mar 2009 20:22:05
Message-Id: 8b17778e0903251321w51a17495g84793326af870d2a@mail.gmail.com
In Reply to: Re: [gentoo-hardened] kudos to hardened-sources by Kerin Millar
1 2009/3/25 Kerin Millar <kerframil@×××××.com>
2
3 > 2009/3/24 klondike <franxisco1988@×××××.com>:
4 > > 2009/3/24 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com>
5 > >>
6 > >> FWICT, hardened-sources has offered, for a few days now, a more recent
7 > >> kernel than gentoo-sources! (not that there's any sort of competition
8 > :-)
9 > >> )
10 > >>
11 > >> Good show! (thanks!!)
12 > >
13 > > I'm not going to cite anything because then I may get an out of context
14 > > answer :P But I think it was gengor who said that, obviously, the isn't
15 > any
16 > > kinf of competition, and that the kernel change was just casuality.
17 > >
18 > > As a side note, say that the jump was 2.6.26 to 2.6.28 so I think gentoo
19 > > sources has been also advanced for some time :P
20 >
21 > The initial hardened-sources-2.6.28 release was committed precisely
22 > one month after the equivalent gentoo-sources release (plus an
23 > additional day with respect to the kernel.org release). This is a
24 > reasonable timeframe, particularly when you consider that the project
25 > must wait on upstream to produce a new grsecurity patch.
26 >
27 This is a really nice time frame, I'm not criticizing this.
28
29
30 > Also, there were releases for 2.6.27 but they were recently retired
31 > because - due to issues with the corresponding grsecurity patch - the
32 > decision was made that they would never be stabilised, in favour of
33 > 2.6.28. That doesn't change the fact that they were there at the time.
34 >
35 Neither am I criticizing that.
36
37
38 > As for the patchsets themselves, hardened-extras has a proven track record
39 > in:
40 >
41 > 1) Incorporating 2.6.X.Y stable patches faster then genpatches-base
42 >
43 > 2) Incorporating important fixes that are typically later adopted by
44 > genpatches-base and/or stable patch and/or vanilla releases. Recent
45 > example: ext4 patches to mitigate against circumstances that commonly
46 > lead to data loss: http://bugs.gentoo.org/show_bug.cgi?id=262507
47 > (queued upstream for 2.6.30 I believe)
48 >
49 > 3) Incorporating/backporting security fixes and _continuing_ to do so
50 > for a given 2.6.X trunk for as long as is reasonably possible, even
51 > after genpatches/upstream have given up and moved on. For instance,
52 > consider the contents of hardened-patches-2.6.25-14.
53 >
54 > 4) Occasionally, incorporating security fixes for a given trunk where
55 > neither genpatches nor upstream do so. For instance, consider my
56 > remarks concerning the 2.6.24 releases here:
57 > http://bugs.gentoo.org/show_bug.cgi?id=185022#c3
58 >
59 Which I'd like to see too on other distros xD
60
61
62 > All of this has been especially true since Gordon began maintaining
63 > hardened-sources.
64 >
65 I did never criticized Gordon's work, I'm the first one using his hardened
66 kernels which IMHO work really nice. If I didn't like them I would have
67 switched.
68
69 >
70 > In terms of keywording strategy, it's a case of when it it's ready,
71 > it's ready. On the other hand, if having a newer driver is more
72 > important than the maintainer's view of the overall
73 > production-worthiness of the release, then current releases are
74 > typically available to those who would add a single entry into
75 > package.keywords.
76 >
77 Well, as always sometimes bad things happen there, I remember a recent bug
78 on disabling PaX and Grsec.
79
80 Taking all of this into due consideration, I would assert that
81 > hardened-sources does generally come out ahead of the 'competition',
82 > so to speak.
83 >
84 What I meant is that there is no competition, each kernel is made for what
85 it is made and is targeted to a concrete user. In my case I use hardened
86 mainly in servers (now begining with desktops) and it has always worked
87 smoothly.