1 |
On Fri, Aug 17, 2012 at 11:19 PM, "Tóth Attila" <atoth@××××××××××.hu> wrote: |
2 |
> That is exactly what hardened sources package maintainers do. |
3 |
> There's always a tiny time difference between the latest grsecurity patch |
4 |
> showing up on the homepage and the respective kernel ebuild appears. |
5 |
|
6 |
First, I would like to note that I appreciate very much Anthony's |
7 |
dedication to maintaining hardened-sources. |
8 |
|
9 |
The situation with stabilizing hardened-sources versions, as I see it, |
10 |
is problematic because grsecurity / PaX upstream only supports a |
11 |
couple of kernels they consider stable (currently, 2.6.32 and 3.2), |
12 |
and the very latest kernel as unstable (currently, 3.5). They don't |
13 |
release patches for interim kernels [1]. So the issue with stabilizing |
14 |
those versions (say, 3.4) is moot — the upstream kernel might be |
15 |
stable, but grsecurity / PaX patches are frozen in time. This results |
16 |
in a weird situation if you want, e.g., a stable kernel that's more |
17 |
modern than 3.2, but don't want EFI-related bugs [2] that were fixed |
18 |
by grsecurity after they switched to 3.5 series for testing. |
19 |
|
20 |
Ideally, grsecurity could release patches for each kernel series after |
21 |
latest stable (currently, 3.2), but that would probably require too |
22 |
much resources. |
23 |
|
24 |
[1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2980 |
25 |
[2] https://bugs.gentoo.org/428726, https://bugs.gentoo.org/430122 |
26 |
|
27 |
-- |
28 |
Maxim Kammerer |
29 |
Liberté Linux: http://dee.su/liberte |