| 1 |
On Fri, Aug 17, 2012 at 11:19 PM, "Tóth Attila" <atoth@××××××××××.hu> wrote: |
| 2 |
> That is exactly what hardened sources package maintainers do. |
| 3 |
> There's always a tiny time difference between the latest grsecurity patch |
| 4 |
> showing up on the homepage and the respective kernel ebuild appears. |
| 5 |
|
| 6 |
First, I would like to note that I appreciate very much Anthony's |
| 7 |
dedication to maintaining hardened-sources. |
| 8 |
|
| 9 |
The situation with stabilizing hardened-sources versions, as I see it, |
| 10 |
is problematic because grsecurity / PaX upstream only supports a |
| 11 |
couple of kernels they consider stable (currently, 2.6.32 and 3.2), |
| 12 |
and the very latest kernel as unstable (currently, 3.5). They don't |
| 13 |
release patches for interim kernels [1]. So the issue with stabilizing |
| 14 |
those versions (say, 3.4) is moot — the upstream kernel might be |
| 15 |
stable, but grsecurity / PaX patches are frozen in time. This results |
| 16 |
in a weird situation if you want, e.g., a stable kernel that's more |
| 17 |
modern than 3.2, but don't want EFI-related bugs [2] that were fixed |
| 18 |
by grsecurity after they switched to 3.5 series for testing. |
| 19 |
|
| 20 |
Ideally, grsecurity could release patches for each kernel series after |
| 21 |
latest stable (currently, 3.2), but that would probably require too |
| 22 |
much resources. |
| 23 |
|
| 24 |
[1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2980 |
| 25 |
[2] https://bugs.gentoo.org/428726, https://bugs.gentoo.org/430122 |
| 26 |
|
| 27 |
-- |
| 28 |
Maxim Kammerer |
| 29 |
Liberté Linux: http://dee.su/liberte |
Archives