2009/3/25 Kerin Millar <[email protected]> > 2009/3/24 klondike <[email protected]>: > > 2009/3/24 7v5w7go9ub0o <[email protected]> > >> > >> FWICT, hardened-sources has offered, for a few days now, a more recent > >> kernel than gentoo-sources! (not that there's any sort of competition > :-) > >> ) > >> > >> Good show! (thanks!!) > > > > I'm not going to cite anything because then I may get an out of context > > answer :P But I think it was gengor who said that, obviously, the isn't > any > > kinf of competition, and that the kernel change was just casuality. > > > > As a side note, say that the jump was 2.6.26 to 2.6.28 so I think gentoo > > sources has been also advanced for some time :P > > The initial hardened-sources-2.6.28 release was committed precisely > one month after the equivalent gentoo-sources release (plus an > additional day with respect to the kernel.org release). This is a > reasonable timeframe, particularly when you consider that the project > must wait on upstream to produce a new grsecurity patch. > This is a really nice time frame, I'm not criticizing this.
> Also, there were releases for 2.6.27 but they were recently retired > because - due to issues with the corresponding grsecurity patch - the > decision was made that they would never be stabilised, in favour of > 2.6.28. That doesn't change the fact that they were there at the time. > Neither am I criticizing that. > As for the patchsets themselves, hardened-extras has a proven track record > in: > > 1) Incorporating 2.6.X.Y stable patches faster then genpatches-base > > 2) Incorporating important fixes that are typically later adopted by > genpatches-base and/or stable patch and/or vanilla releases. Recent > example: ext4 patches to mitigate against circumstances that commonly > lead to data loss: http://bugs.gentoo.org/show_bug.cgi?id=262507 > (queued upstream for 2.6.30 I believe) > > 3) Incorporating/backporting security fixes and _continuing_ to do so > for a given 2.6.X trunk for as long as is reasonably possible, even > after genpatches/upstream have given up and moved on. For instance, > consider the contents of hardened-patches-2.6.25-14. > > 4) Occasionally, incorporating security fixes for a given trunk where > neither genpatches nor upstream do so. For instance, consider my > remarks concerning the 2.6.24 releases here: > http://bugs.gentoo.org/show_bug.cgi?id=185022#c3 > Which I'd like to see too on other distros xD > All of this has been especially true since Gordon began maintaining > hardened-sources. > I did never criticized Gordon's work, I'm the first one using his hardened kernels which IMHO work really nice. If I didn't like them I would have switched. > > In terms of keywording strategy, it's a case of when it it's ready, > it's ready. On the other hand, if having a newer driver is more > important than the maintainer's view of the overall > production-worthiness of the release, then current releases are > typically available to those who would add a single entry into > package.keywords. > Well, as always sometimes bad things happen there, I remember a recent bug on disabling PaX and Grsec. Taking all of this into due consideration, I would assert that > hardened-sources does generally come out ahead of the 'competition', > so to speak. > What I meant is that there is no competition, each kernel is made for what it is made and is targeted to a concrete user. In my case I use hardened mainly in servers (now begining with desktops) and it has always worked smoothly.
