-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/18/2015 06:36 PM, Anthony G. Basile wrote: > Hi everyone, for your consideration: > > Title: Future Support of hardened-sources Kernel Content-Type: > text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 > Display-If-Installed: sys-kernel/hardened-sources > Display-If-Keyword: hardened Display-If-Keyword: pax_kernel > Display-If-Profile: hardened/linux/amd64 Display-If-Profile: > hardened/linux/amd64/no-multilib Display-If-Profile: > hardened/linux/amd64/no-multilib/selinux Display-If-Profile: > hardened/linux/amd64/selinux Display-If-Profile: > hardened/linux/amd64/x32 Display-If-Profile: > hardened/linux/arm/armv6j Display-If-Profile: > hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 > Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile: > hardened/linux/musl/amd64/x32 Display-If-Profile: > hardened/linux/musl/arm/armv7a Display-If-Profile: > hardened/linux/musl/mips Display-If-Profile: > hardened/linux/musl/mips/mipsel Display-If-Profile: > hardened/linux/musl/ppc Display-If-Profile: > hardened/linux/musl/x86 Display-If-Profile: > hardened/linux/powerpc/ppc32 Display-If-Profile: > hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile: > hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile: > hardened/linux/uclibc/amd64 Display-If-Profile: > hardened/linux/uclibc/arm/armv7a Display-If-Profile: > hardened/linux/uclibc/mips Display-If-Profile: > hardened/linux/uclibc/mips/mipsel Display-If-Profile: > hardened/linux/uclibc/ppc Display-If-Profile: > hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 > Display-If-Profile: hardened/linux/x86/selinux > > For many years, the Grsecurity team [1] has been supporting two > versions of their security patches against the Linux kernel, a > stable and a testing version, and Gentoo has made both of these > available to our users through the hardened-sources package. > However, on August 26 of this year, the team announced they would > no longer be making the stable version publicly available, citing > trademark infringement by a major embedded systems company as the > reason. [2] The stable patches are now only available to sponsors > of Grsecurity and can no longer be distributed in Gentoo. However, > the team did assure us that they would continue to release and > support the testing version as they have in the past. > > What does this means for users of hardened-sources? Gentoo will > continue to make the testing version available through our > hardened-sources package but we will have to drop support for the > 3.x series. In a few days, those ebuilds will be removed from the > tree and you will be required to upgrade to a 4.x series kernel. > Since the hardened-sources package only installs the kernel source > tree, you can continue using a currently built 3.x series kernel > but bear in mind that we cannot support you, nor will upstream. > Also keep in mind that the 4.x series will not be as reliable as > the 3.x series was, so reporting bugs promptly will be even more > important. Gentoo will continue to work closely with upstream to > stay on top of any problems, but be prepared for the occasional > "bad" kernel. The more reporting we receive from our users, the > better we will be able to decide which hardened-sources kernels to > mark stable and which to drop. > > Refs. [1] https://grsecurity.net [2] > https://grsecurity.net/announce.php >
Looks like a good write-up to me. Concise and clear, with the URL for those who care enough about the fiasco. However, does this mean the hardened kernel package must stay in ~arch since it's technically the testing version? Or would we keyword it based on our own findings of stability? - -- Daniel Campbell - Gentoo Developer OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWJfnzAAoJEAEkDpRQOeFwr/4QAM7tug2y/HtbXtBGbIzAiDQ9 nDHBxIvuSl949oojTxl+x0GqkskOu77VIj1baCXmoxO2sOwCZfwksdDFjU7cPrNr vjoIxBmefgz6FBeJxJaVMiMPVR7MC+ZHcLmBoP6LShmBPpEchY0kf2+JQmaWydU4 bDHmVxA+H0fNhUuXxGdD4xMvvSZShWm3uGnSZy1D9llJ587xHO9XlEkQdbiypGuC S8g1gJw96Vtynmy90shrTYrYkKdOxMUyV4HX7Wsb88IT3dURDFGXSuhy9/B2jLt0 3LmMiOeLzblIqiqxOxuhre+yB6mA9mkcTjG/M1nKKd1fHS4/l48clvVLpEMZRUSl oE0Ex2+eU/u4YjrDdRCErhhh4RvDkNOW43+1wblhCUoTd9WcpHc/74KdvI4oPgu4 Xe7HeVE7Xo/FT21kZvhuw4VRkerKAT+KITNCtRcp5mfXp4dnr4UonE+Vd39Ul4/v e2bkZKHbJI+uq4VBFNXnBKp7Pw/RewGm3PpkU8YrRQwI/AS1kHirP+/aWhnx2uHV WLJxBXw/kBNNKwGANPJQ2/ip4CXUILbJzTnmLxvlYt+61DE/K3CNlN4lPbidK/xR SU55y8COMFdDAtWUzEUXldh340Ob5KWRk00v0O+oarqj1oVfACsM44lWSYrNAZQs 8EkcfKsY6lmHbsr9B5I1 =2Z3x -----END PGP SIGNATURE-----