2009/3/24 klondike <[email protected]>: > 2009/3/24 7v5w7go9ub0o <[email protected]> >> >> FWICT, hardened-sources has offered, for a few days now, a more recent >> kernel than gentoo-sources! (not that there's any sort of competition :-) >> ) >> >> Good show! (thanks!!) > > I'm not going to cite anything because then I may get an out of context > answer :P But I think it was gengor who said that, obviously, the isn't any > kinf of competition, and that the kernel change was just casuality. > > As a side note, say that the jump was 2.6.26 to 2.6.28 so I think gentoo > sources has been also advanced for some time :P
The initial hardened-sources-2.6.28 release was committed precisely one month after the equivalent gentoo-sources release (plus an additional day with respect to the kernel.org release). This is a reasonable timeframe, particularly when you consider that the project must wait on upstream to produce a new grsecurity patch. Also, there were releases for 2.6.27 but they were recently retired because - due to issues with the corresponding grsecurity patch - the decision was made that they would never be stabilised, in favour of 2.6.28. That doesn't change the fact that they were there at the time. As for the patchsets themselves, hardened-extras has a proven track record in: 1) Incorporating 2.6.X.Y stable patches faster then genpatches-base 2) Incorporating important fixes that are typically later adopted by genpatches-base and/or stable patch and/or vanilla releases. Recent example: ext4 patches to mitigate against circumstances that commonly lead to data loss: http://bugs.gentoo.org/show_bug.cgi?id=262507 (queued upstream for 2.6.30 I believe) 3) Incorporating/backporting security fixes and _continuing_ to do so for a given 2.6.X trunk for as long as is reasonably possible, even after genpatches/upstream have given up and moved on. For instance, consider the contents of hardened-patches-2.6.25-14. 4) Occasionally, incorporating security fixes for a given trunk where neither genpatches nor upstream do so. For instance, consider my remarks concerning the 2.6.24 releases here: http://bugs.gentoo.org/show_bug.cgi?id=185022#c3 All of this has been especially true since Gordon began maintaining hardened-sources. In terms of keywording strategy, it's a case of when it it's ready, it's ready. On the other hand, if having a newer driver is more important than the maintainer's view of the overall production-worthiness of the release, then current releases are typically available to those who would add a single entry into package.keywords. Taking all of this into due consideration, I would assert that hardened-sources does generally come out ahead of the 'competition', so to speak. Cheers, --Kerin
