| 1 |
El 02/09/15 a las 18:13, Anthony G. Basile escribió: |
| 2 |
> Hi everyone, |
| 3 |
> |
| 4 |
> So by now most people have heard the news that the Grsecurity/PaX team |
| 5 |
> are no longer going to be making their stable patches available. The |
| 6 |
> reason is that they are in dispute with a certain embedded systems |
| 7 |
> vendor and those negotiations broke down. So they decided to make |
| 8 |
> their stable patches only available to the sponsors. [1] |
| 9 |
> |
| 10 |
> What does this mean for Gentoo? Up until now I have been maintaining |
| 11 |
> both the grsec upstream stable and testing patchsets in our |
| 12 |
> hardened-sources. Currently the upstream stable kernels are 3.2.71 |
| 13 |
> and 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 |
| 14 |
> and 3.14.51 patchsets will no longer be available and I'll continue |
| 15 |
> pushing out the 4.1.6. Unfortunately the testing patchset is |
| 16 |
> precisely as the name suggests --- for testing and not production. |
| 17 |
> For the embedded systems company this will be the kiss of death |
| 18 |
> because those patches are not suitable for long term. For Gentoo it |
| 19 |
> will mean that I will have to be more vigilant about bugs and trying |
| 20 |
> to stick with a well known kernel before moving on. You can still use |
| 21 |
> these kernels in production, but you must be carefull about |
| 22 |
> instabilities as upstream pushes out experimental feature that may |
| 23 |
> oops or panic. Keep older kernel images around and revert if it |
| 24 |
> doesn't work. Look to this list for announcements about more serious |
| 25 |
> issues like things that can cause data loss. |
| 26 |
> |
| 27 |
> I'm hoping that once this company feels the sting of what has just |
| 28 |
> happened, they'll come back to the table and talk with Grsec/PaX people. |
| 29 |
> They won't be able to ship boards with grsec anymore because its not |
| 30 |
> so easy to switch out a kernel on a board! If they ship a board with |
| 31 |
> a bug, they loose. We just reboot :) |
| 32 |
> |
| 33 |
> [1] https://grsecurity.net/ |
| 34 |
> |
| 35 |
Only thing to add here is that spender expects the unstable kernels to |
| 36 |
become more stable in the medium term because of this. |
Archives