1 |
El 02/09/15 a las 18:13, Anthony G. Basile escribió: |
2 |
> Hi everyone, |
3 |
> |
4 |
> So by now most people have heard the news that the Grsecurity/PaX team |
5 |
> are no longer going to be making their stable patches available. The |
6 |
> reason is that they are in dispute with a certain embedded systems |
7 |
> vendor and those negotiations broke down. So they decided to make |
8 |
> their stable patches only available to the sponsors. [1] |
9 |
> |
10 |
> What does this mean for Gentoo? Up until now I have been maintaining |
11 |
> both the grsec upstream stable and testing patchsets in our |
12 |
> hardened-sources. Currently the upstream stable kernels are 3.2.71 |
13 |
> and 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 |
14 |
> and 3.14.51 patchsets will no longer be available and I'll continue |
15 |
> pushing out the 4.1.6. Unfortunately the testing patchset is |
16 |
> precisely as the name suggests --- for testing and not production. |
17 |
> For the embedded systems company this will be the kiss of death |
18 |
> because those patches are not suitable for long term. For Gentoo it |
19 |
> will mean that I will have to be more vigilant about bugs and trying |
20 |
> to stick with a well known kernel before moving on. You can still use |
21 |
> these kernels in production, but you must be carefull about |
22 |
> instabilities as upstream pushes out experimental feature that may |
23 |
> oops or panic. Keep older kernel images around and revert if it |
24 |
> doesn't work. Look to this list for announcements about more serious |
25 |
> issues like things that can cause data loss. |
26 |
> |
27 |
> I'm hoping that once this company feels the sting of what has just |
28 |
> happened, they'll come back to the table and talk with Grsec/PaX people. |
29 |
> They won't be able to ship boards with grsec anymore because its not |
30 |
> so easy to switch out a kernel on a board! If they ship a board with |
31 |
> a bug, they loose. We just reboot :) |
32 |
> |
33 |
> [1] https://grsecurity.net/ |
34 |
> |
35 |
Only thing to add here is that spender expects the unstable kernels to |
36 |
become more stable in the medium term because of this. |