Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel
On 10/20/15 4:23 AM, Daniel Campbell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/18/2015 06:36 PM, Anthony G. Basile wrote: Hi everyone, for your consideration: Title: Future Support of hardened-sources Kernel Content-Type: text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 Display-If-Installed: sys-kernel/hardened-sources Display-If-Keyword: hardened Display-If-Keyword: pax_kernel Display-If-Profile: hardened/linux/amd64 Display-If-Profile: hardened/linux/amd64/no-multilib Display-If-Profile: hardened/linux/amd64/no-multilib/selinux Display-If-Profile: hardened/linux/amd64/selinux Display-If-Profile: hardened/linux/amd64/x32 Display-If-Profile: hardened/linux/arm/armv6j Display-If-Profile: hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile: hardened/linux/musl/amd64/x32 Display-If-Profile: hardened/linux/musl/arm/armv7a Display-If-Profile: hardened/linux/musl/mips Display-If-Profile: hardened/linux/musl/mips/mipsel Display-If-Profile: hardened/linux/musl/ppc Display-If-Profile: hardened/linux/musl/x86 Display-If-Profile: hardened/linux/powerpc/ppc32 Display-If-Profile: hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile: hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile: hardened/linux/uclibc/amd64 Display-If-Profile: hardened/linux/uclibc/arm/armv7a Display-If-Profile: hardened/linux/uclibc/mips Display-If-Profile: hardened/linux/uclibc/mips/mipsel Display-If-Profile: hardened/linux/uclibc/ppc Display-If-Profile: hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 Display-If-Profile: hardened/linux/x86/selinux For many years, the Grsecurity team [1] has been supporting two versions of their security patches against the Linux kernel, a stable and a testing version, and Gentoo has made both of these available to our users through the hardened-sources package. However, on August 26 of this year, the team announced they would no longer be making the stable version publicly available, citing trademark infringement by a major embedded systems company as the reason. [2] The stable patches are now only available to sponsors of Grsecurity and can no longer be distributed in Gentoo. However, the team did assure us that they would continue to release and support the testing version as they have in the past. What does this means for users of hardened-sources? Gentoo will continue to make the testing version available through our hardened-sources package but we will have to drop support for the 3.x series. In a few days, those ebuilds will be removed from the tree and you will be required to upgrade to a 4.x series kernel. Since the hardened-sources package only installs the kernel source tree, you can continue using a currently built 3.x series kernel but bear in mind that we cannot support you, nor will upstream. Also keep in mind that the 4.x series will not be as reliable as the 3.x series was, so reporting bugs promptly will be even more important. Gentoo will continue to work closely with upstream to stay on top of any problems, but be prepared for the occasional "bad" kernel. The more reporting we receive from our users, the better we will be able to decide which hardened-sources kernels to mark stable and which to drop. Refs. [1] https://grsecurity.net [2] https://grsecurity.net/announce.php Looks like a good write-up to me. Concise and clear, with the URL for those who care enough about the fiasco. However, does this mean the hardened kernel package must stay in ~arch since it's technically the testing version? Or would we keyword it based on our own findings of stability? I will continue to mark the best amd64 and x86 versions as stable. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel
On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbellwrote: > However, does this mean the hardened kernel package must stay in ~arch > since it's technically the testing version? Or would we keyword it > based on our own findings of stability? I'd recommend that the team does whatever adds the most value. If it doesn't want to do QA on released versions then I suggest it all stay as ~arch. If you're going to do your own QA I don't see why you can't mark versions as stable - just make it clear to users what stable means. BTW, while they're only tracking the most recent stable branch of the kernel, they ARE tracking a stable branch, and not mainline. -- Rich
Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel
On 10/20/15 4:45 AM, Rich Freeman wrote: On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbellwrote: However, does this mean the hardened kernel package must stay in ~arch since it's technically the testing version? Or would we keyword it based on our own findings of stability? I'd recommend that the team does whatever adds the most value. If it doesn't want to do QA on released versions then I suggest it all stay as ~arch. If you're going to do your own QA I don't see why you can't mark versions as stable - just make it clear to users what stable means. BTW, while they're only tracking the most recent stable branch of the kernel, they ARE tracking a stable branch, and not mainline. I have been marking hardened-sources based on the grsecurity testing patches as stable since forever and will continue with the same practice. "Testing" means they add new features there first and those new features can break stuff. We identify breakage in bug reports and hold back to versions that are known to work until upstream fixes the broken features. It works pretty good in practices and most users of hardened-sources already know this. What they may not know is that the 3.x is no longer public. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/18/2015 06:36 PM, Anthony G. Basile wrote: > Hi everyone, for your consideration: > > Title: Future Support of hardened-sources Kernel Content-Type: > text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 > Display-If-Installed: sys-kernel/hardened-sources > Display-If-Keyword: hardened Display-If-Keyword: pax_kernel > Display-If-Profile: hardened/linux/amd64 Display-If-Profile: > hardened/linux/amd64/no-multilib Display-If-Profile: > hardened/linux/amd64/no-multilib/selinux Display-If-Profile: > hardened/linux/amd64/selinux Display-If-Profile: > hardened/linux/amd64/x32 Display-If-Profile: > hardened/linux/arm/armv6j Display-If-Profile: > hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 > Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile: > hardened/linux/musl/amd64/x32 Display-If-Profile: > hardened/linux/musl/arm/armv7a Display-If-Profile: > hardened/linux/musl/mips Display-If-Profile: > hardened/linux/musl/mips/mipsel Display-If-Profile: > hardened/linux/musl/ppc Display-If-Profile: > hardened/linux/musl/x86 Display-If-Profile: > hardened/linux/powerpc/ppc32 Display-If-Profile: > hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile: > hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile: > hardened/linux/uclibc/amd64 Display-If-Profile: > hardened/linux/uclibc/arm/armv7a Display-If-Profile: > hardened/linux/uclibc/mips Display-If-Profile: > hardened/linux/uclibc/mips/mipsel Display-If-Profile: > hardened/linux/uclibc/ppc Display-If-Profile: > hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 > Display-If-Profile: hardened/linux/x86/selinux > > For many years, the Grsecurity team [1] has been supporting two > versions of their security patches against the Linux kernel, a > stable and a testing version, and Gentoo has made both of these > available to our users through the hardened-sources package. > However, on August 26 of this year, the team announced they would > no longer be making the stable version publicly available, citing > trademark infringement by a major embedded systems company as the > reason. [2] The stable patches are now only available to sponsors > of Grsecurity and can no longer be distributed in Gentoo. However, > the team did assure us that they would continue to release and > support the testing version as they have in the past. > > What does this means for users of hardened-sources? Gentoo will > continue to make the testing version available through our > hardened-sources package but we will have to drop support for the > 3.x series. In a few days, those ebuilds will be removed from the > tree and you will be required to upgrade to a 4.x series kernel. > Since the hardened-sources package only installs the kernel source > tree, you can continue using a currently built 3.x series kernel > but bear in mind that we cannot support you, nor will upstream. > Also keep in mind that the 4.x series will not be as reliable as > the 3.x series was, so reporting bugs promptly will be even more > important. Gentoo will continue to work closely with upstream to > stay on top of any problems, but be prepared for the occasional > "bad" kernel. The more reporting we receive from our users, the > better we will be able to decide which hardened-sources kernels to > mark stable and which to drop. > > Refs. [1] https://grsecurity.net [2] > https://grsecurity.net/announce.php > Looks like a good write-up to me. Concise and clear, with the URL for those who care enough about the fiasco. However, does this mean the hardened kernel package must stay in ~arch since it's technically the testing version? Or would we keyword it based on our own findings of stability? - -- Daniel Campbell - Gentoo Developer OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWJfnzAAoJEAEkDpRQOeFwr/4QAM7tug2y/HtbXtBGbIzAiDQ9 nDHBxIvuSl949oojTxl+x0GqkskOu77VIj1baCXmoxO2sOwCZfwksdDFjU7cPrNr vjoIxBmefgz6FBeJxJaVMiMPVR7MC+ZHcLmBoP6LShmBPpEchY0kf2+JQmaWydU4 bDHmVxA+H0fNhUuXxGdD4xMvvSZShWm3uGnSZy1D9llJ587xHO9XlEkQdbiypGuC S8g1gJw96Vtynmy90shrTYrYkKdOxMUyV4HX7Wsb88IT3dURDFGXSuhy9/B2jLt0 3LmMiOeLzblIqiqxOxuhre+yB6mA9mkcTjG/M1nKKd1fHS4/l48clvVLpEMZRUSl oE0Ex2+eU/u4YjrDdRCErhhh4RvDkNOW43+1wblhCUoTd9WcpHc/74KdvI4oPgu4 Xe7HeVE7Xo/FT21kZvhuw4VRkerKAT+KITNCtRcp5mfXp4dnr4UonE+Vd39Ul4/v e2bkZKHbJI+uq4VBFNXnBKp7Pw/RewGm3PpkU8YrRQwI/AS1kHirP+/aWhnx2uHV WLJxBXw/kBNNKwGANPJQ2/ip4CXUILbJzTnmLxvlYt+61DE/K3CNlN4lPbidK/xR SU55y8COMFdDAtWUzEUXldh340Ob5KWRk00v0O+oarqj1oVfACsM44lWSYrNAZQs 8EkcfKsY6lmHbsr9B5I1 =2Z3x -END PGP SIGNATURE-
[gentoo-dev] News Item: Future Support of hardened-sources Kernel
Hi everyone, for your consideration: Title: Future Support of hardened-sources Kernel Content-Type: text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 Display-If-Installed: sys-kernel/hardened-sources Display-If-Keyword: hardened Display-If-Keyword: pax_kernel Display-If-Profile: hardened/linux/amd64 Display-If-Profile: hardened/linux/amd64/no-multilib Display-If-Profile: hardened/linux/amd64/no-multilib/selinux Display-If-Profile: hardened/linux/amd64/selinux Display-If-Profile: hardened/linux/amd64/x32 Display-If-Profile: hardened/linux/arm/armv6j Display-If-Profile: hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile: hardened/linux/musl/amd64/x32 Display-If-Profile: hardened/linux/musl/arm/armv7a Display-If-Profile: hardened/linux/musl/mips Display-If-Profile: hardened/linux/musl/mips/mipsel Display-If-Profile: hardened/linux/musl/ppc Display-If-Profile: hardened/linux/musl/x86 Display-If-Profile: hardened/linux/powerpc/ppc32 Display-If-Profile: hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile: hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile: hardened/linux/uclibc/amd64 Display-If-Profile: hardened/linux/uclibc/arm/armv7a Display-If-Profile: hardened/linux/uclibc/mips Display-If-Profile: hardened/linux/uclibc/mips/mipsel Display-If-Profile: hardened/linux/uclibc/ppc Display-If-Profile: hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 Display-If-Profile: hardened/linux/x86/selinux For many years, the Grsecurity team [1] has been supporting two versions of their security patches against the Linux kernel, a stable and a testing version, and Gentoo has made both of these available to our users through the hardened-sources package. However, on August 26 of this year, the team announced they would no longer be making the stable version publicly available, citing trademark infringement by a major embedded systems company as the reason. [2] The stable patches are now only available to sponsors of Grsecurity and can no longer be distributed in Gentoo. However, the team did assure us that they would continue to release and support the testing version as they have in the past. What does this means for users of hardened-sources? Gentoo will continue to make the testing version available through our hardened-sources package but we will have to drop support for the 3.x series. In a few days, those ebuilds will be removed from the tree and you will be required to upgrade to a 4.x series kernel. Since the hardened-sources package only installs the kernel source tree, you can continue using a currently built 3.x series kernel but bear in mind that we cannot support you, nor will upstream. Also keep in mind that the 4.x series will not be as reliable as the 3.x series was, so reporting bugs promptly will be even more important. Gentoo will continue to work closely with upstream to stay on top of any problems, but be prepared for the occasional "bad" kernel. The more reporting we receive from our users, the better we will be able to decide which hardened-sources kernels to mark stable and which to drop. Refs. [1] https://grsecurity.net [2] https://grsecurity.net/announce.php -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA