[gentoo-dev] New item for sys-kernel/hardened-sources removal

Tue, 15 Aug 2017 08:03:06 -0700 

Hi!

I'd like to get this one up by Saturday so that we can proceed with
masking and removing of the hardened-sources after upstream stopped
releasing new patches.

This is my first time writting a news item so all input will be appreciated.

As for the rationale behind this, we need to clearly inform users as to
the options available for hardening their system kernels after the
removal of the hardened-sources.

Sincerely,
Klondike


Title: sys-kernel/hardened-sources removal
Author: Francisco Blas Izquierdo Riera (klondike) <klond...@gentoo.org>
Posted: 2017-08-19
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources

As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.

Sadly, their developers have stopped making these freely available [1].
As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques proposed by
Stack Clash, we can't ensure a regular patching schedule and therefore,
the security of the users of these kernel sources.

Because of that we will be masking the hardened-sources on the 27th of
August and will proceed to remove then from the tree by the end of
September. Obviously, we will reinstate the package again if the
developers decide to make their patches publicly available again.

Our recommendation is that users should consider using instead
sys-kernel/gentoo-sources.

As an alternative, for users happy keeping themselves on the  stable
4.9 branch of the kernel minipli, another Grsec user, is forward
porting the patches on [2]. The Gentoo Hardened team can't make any
statement regarding the security, reliability or update availability
of those patches as we aren't providing them and can't therefore
make any recommendation regarding their use.

We'd like to note that all the userspace hardening and MAC support
for SELinux provided by Gentoo Hardened will still remain there and
is unaffected by this removal.

Finally we'd like to send a sincere thank you to Brad Spengler and
the PaX Team for making their hardening patches freely available all
this time.



[1] https://grsecurity.net/passing_the_baton.php
[2] https://github.com/minipli/linux-unofficial_grsec

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to