subject:"\[gentoo\-dev\] News Item\: Future Support of hardened\-sources Kernel"

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

2015-10-20 Thread Anthony G. Basile


On 10/20/15 4:23 AM, Daniel Campbell wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 10/18/2015 06:36 PM, Anthony G. Basile wrote:

Hi everyone, for your consideration:

Title: Future Support of hardened-sources Kernel Content-Type:
text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Keyword: hardened Display-If-Keyword: pax_kernel
Display-If-Profile: hardened/linux/amd64 Display-If-Profile:
hardened/linux/amd64/no-multilib Display-If-Profile:
hardened/linux/amd64/no-multilib/selinux Display-If-Profile:
hardened/linux/amd64/selinux Display-If-Profile:
hardened/linux/amd64/x32 Display-If-Profile:
hardened/linux/arm/armv6j Display-If-Profile:
hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64
Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile:
hardened/linux/musl/amd64/x32 Display-If-Profile:
hardened/linux/musl/arm/armv7a Display-If-Profile:
hardened/linux/musl/mips Display-If-Profile:
hardened/linux/musl/mips/mipsel Display-If-Profile:
hardened/linux/musl/ppc Display-If-Profile:
hardened/linux/musl/x86 Display-If-Profile:
hardened/linux/powerpc/ppc32 Display-If-Profile:
hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile:
hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile:
hardened/linux/uclibc/amd64 Display-If-Profile:
hardened/linux/uclibc/arm/armv7a Display-If-Profile:
hardened/linux/uclibc/mips Display-If-Profile:
hardened/linux/uclibc/mips/mipsel Display-If-Profile:
hardened/linux/uclibc/ppc Display-If-Profile:
hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86
Display-If-Profile: hardened/linux/x86/selinux

For many years, the Grsecurity team [1] has been supporting two
versions of their security patches against the Linux kernel, a
stable and a testing version, and Gentoo has made both of these
available to our users through the hardened-sources package.
However, on August 26 of this year, the team announced they would
no longer be making the stable version publicly available, citing
trademark infringement by a major embedded systems company as the
reason. [2]  The stable patches are now only available to sponsors
of Grsecurity and can no longer be distributed in Gentoo.  However,
the team did assure us that they would continue to release and
support the testing version as they have in the past.

What does this means for users of hardened-sources?  Gentoo will
continue to make the testing version available through our
hardened-sources package but we will have to drop support for the
3.x series.  In a few days, those ebuilds will be removed from the
tree and you will be required to upgrade to a 4.x series kernel.
Since the hardened-sources package only installs the kernel source
tree, you can continue using a currently built 3.x series kernel
but bear in mind that we cannot support you, nor will upstream.
Also keep in mind that the 4.x series will not be as reliable as
the 3.x series was, so reporting bugs promptly will be even more
important.  Gentoo will continue to work closely with upstream to
stay on top of any problems, but be prepared for the occasional
"bad" kernel.  The more reporting we receive from our users, the
better we will be able to decide which hardened-sources kernels to
mark stable and which to drop.

Refs. [1] https://grsecurity.net [2]
https://grsecurity.net/announce.php


Looks like a good write-up to me. Concise and clear, with the URL for
those who care enough about the fiasco.

However, does this mean the hardened kernel package must stay in ~arch
since it's technically the testing version? Or would we keyword it
based on our own findings of stability?


I will continue to mark the best amd64 and x86 versions as stable.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

2015-10-20 Thread Rich Freeman

On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbell  wrote:
> However, does this mean the hardened kernel package must stay in ~arch
> since it's technically the testing version? Or would we keyword it
> based on our own findings of stability?

I'd recommend that the team does whatever adds the most value.  If it
doesn't want to do QA on released versions then I suggest it all stay
as ~arch.  If you're going to do your own QA I don't see why you can't
mark versions as stable - just make it clear to users what stable
means.

BTW, while they're only tracking the most recent stable branch of the
kernel, they ARE tracking a stable branch, and not mainline.

-- 
Rich

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

2015-10-20 Thread Anthony G. Basile


On 10/20/15 4:45 AM, Rich Freeman wrote:

On Tue, Oct 20, 2015 at 4:23 AM, Daniel Campbell  wrote:

However, does this mean the hardened kernel package must stay in ~arch
since it's technically the testing version? Or would we keyword it
based on our own findings of stability?

I'd recommend that the team does whatever adds the most value.  If it
doesn't want to do QA on released versions then I suggest it all stay
as ~arch.  If you're going to do your own QA I don't see why you can't
mark versions as stable - just make it clear to users what stable
means.

BTW, while they're only tracking the most recent stable branch of the
kernel, they ARE tracking a stable branch, and not mainline.

I have been marking hardened-sources based on the grsecurity testing 
patches as stable since forever and will continue with the same 
practice.  "Testing" means they add new features there first and those 
new features can break stuff.  We identify breakage in bug reports and 
hold back to versions that are known to work until upstream fixes the 
broken features.  It works pretty good in practices and most users of 
hardened-sources already know this. What they may not know is that the 
3.x is no longer public.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

2015-10-20 Thread Daniel Campbell

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 10/18/2015 06:36 PM, Anthony G. Basile wrote:
> Hi everyone, for your consideration:
> 
> Title: Future Support of hardened-sources Kernel Content-Type:
> text/plain Posted: 2015-10-21 Revision: 1 News-Item-Format: 1.0 
> Display-If-Installed: sys-kernel/hardened-sources 
> Display-If-Keyword: hardened Display-If-Keyword: pax_kernel 
> Display-If-Profile: hardened/linux/amd64 Display-If-Profile:
> hardened/linux/amd64/no-multilib Display-If-Profile:
> hardened/linux/amd64/no-multilib/selinux Display-If-Profile:
> hardened/linux/amd64/selinux Display-If-Profile:
> hardened/linux/amd64/x32 Display-If-Profile:
> hardened/linux/arm/armv6j Display-If-Profile:
> hardened/linux/arm/armv7a Display-If-Profile: hardened/linux/ia64 
> Display-If-Profile: hardened/linux/musl/amd64 Display-If-Profile:
> hardened/linux/musl/amd64/x32 Display-If-Profile:
> hardened/linux/musl/arm/armv7a Display-If-Profile:
> hardened/linux/musl/mips Display-If-Profile:
> hardened/linux/musl/mips/mipsel Display-If-Profile:
> hardened/linux/musl/ppc Display-If-Profile:
> hardened/linux/musl/x86 Display-If-Profile:
> hardened/linux/powerpc/ppc32 Display-If-Profile:
> hardened/linux/powerpc/ppc64/32bit-userland Display-If-Profile:
> hardened/linux/powerpc/ppc64/64bit-userland Display-If-Profile:
> hardened/linux/uclibc/amd64 Display-If-Profile:
> hardened/linux/uclibc/arm/armv7a Display-If-Profile:
> hardened/linux/uclibc/mips Display-If-Profile:
> hardened/linux/uclibc/mips/mipsel Display-If-Profile:
> hardened/linux/uclibc/ppc Display-If-Profile:
> hardened/linux/uclibc/x86 Display-If-Profile: hardened/linux/x86 
> Display-If-Profile: hardened/linux/x86/selinux
> 
> For many years, the Grsecurity team [1] has been supporting two
> versions of their security patches against the Linux kernel, a
> stable and a testing version, and Gentoo has made both of these
> available to our users through the hardened-sources package.
> However, on August 26 of this year, the team announced they would
> no longer be making the stable version publicly available, citing
> trademark infringement by a major embedded systems company as the
> reason. [2]  The stable patches are now only available to sponsors
> of Grsecurity and can no longer be distributed in Gentoo.  However,
> the team did assure us that they would continue to release and
> support the testing version as they have in the past.
> 
> What does this means for users of hardened-sources?  Gentoo will 
> continue to make the testing version available through our
> hardened-sources package but we will have to drop support for the
> 3.x series.  In a few days, those ebuilds will be removed from the
> tree and you will be required to upgrade to a 4.x series kernel.
> Since the hardened-sources package only installs the kernel source
> tree, you can continue using a currently built 3.x series kernel
> but bear in mind that we cannot support you, nor will upstream.
> Also keep in mind that the 4.x series will not be as reliable as
> the 3.x series was, so reporting bugs promptly will be even more
> important.  Gentoo will continue to work closely with upstream to
> stay on top of any problems, but be prepared for the occasional
> "bad" kernel.  The more reporting we receive from our users, the
> better we will be able to decide which hardened-sources kernels to
> mark stable and which to drop.
> 
> Refs. [1] https://grsecurity.net [2]
> https://grsecurity.net/announce.php
> 

Looks like a good write-up to me. Concise and clear, with the URL for
those who care enough about the fiasco.

However, does this mean the hardened kernel package must stay in ~arch
since it's technically the testing version? Or would we keyword it
based on our own findings of stability?

- -- 
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWJfnzAAoJEAEkDpRQOeFwr/4QAM7tug2y/HtbXtBGbIzAiDQ9
nDHBxIvuSl949oojTxl+x0GqkskOu77VIj1baCXmoxO2sOwCZfwksdDFjU7cPrNr
vjoIxBmefgz6FBeJxJaVMiMPVR7MC+ZHcLmBoP6LShmBPpEchY0kf2+JQmaWydU4
bDHmVxA+H0fNhUuXxGdD4xMvvSZShWm3uGnSZy1D9llJ587xHO9XlEkQdbiypGuC
S8g1gJw96Vtynmy90shrTYrYkKdOxMUyV4HX7Wsb88IT3dURDFGXSuhy9/B2jLt0
3LmMiOeLzblIqiqxOxuhre+yB6mA9mkcTjG/M1nKKd1fHS4/l48clvVLpEMZRUSl
oE0Ex2+eU/u4YjrDdRCErhhh4RvDkNOW43+1wblhCUoTd9WcpHc/74KdvI4oPgu4
Xe7HeVE7Xo/FT21kZvhuw4VRkerKAT+KITNCtRcp5mfXp4dnr4UonE+Vd39Ul4/v
e2bkZKHbJI+uq4VBFNXnBKp7Pw/RewGm3PpkU8YrRQwI/AS1kHirP+/aWhnx2uHV
WLJxBXw/kBNNKwGANPJQ2/ip4CXUILbJzTnmLxvlYt+61DE/K3CNlN4lPbidK/xR
SU55y8COMFdDAtWUzEUXldh340Ob5KWRk00v0O+oarqj1oVfACsM44lWSYrNAZQs
8EkcfKsY6lmHbsr9B5I1
=2Z3x
-END PGP SIGNATURE-

[gentoo-dev] News Item: Future Support of hardened-sources Kernel

2015-10-18 Thread Anthony G. Basile


Hi everyone, for your consideration:

Title: Future Support of hardened-sources Kernel
Content-Type: text/plain
Posted: 2015-10-21
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: sys-kernel/hardened-sources
Display-If-Keyword: hardened
Display-If-Keyword: pax_kernel
Display-If-Profile: hardened/linux/amd64
Display-If-Profile: hardened/linux/amd64/no-multilib
Display-If-Profile: hardened/linux/amd64/no-multilib/selinux
Display-If-Profile: hardened/linux/amd64/selinux
Display-If-Profile: hardened/linux/amd64/x32
Display-If-Profile: hardened/linux/arm/armv6j
Display-If-Profile: hardened/linux/arm/armv7a
Display-If-Profile: hardened/linux/ia64
Display-If-Profile: hardened/linux/musl/amd64
Display-If-Profile: hardened/linux/musl/amd64/x32
Display-If-Profile: hardened/linux/musl/arm/armv7a
Display-If-Profile: hardened/linux/musl/mips
Display-If-Profile: hardened/linux/musl/mips/mipsel
Display-If-Profile: hardened/linux/musl/ppc
Display-If-Profile: hardened/linux/musl/x86
Display-If-Profile: hardened/linux/powerpc/ppc32
Display-If-Profile: hardened/linux/powerpc/ppc64/32bit-userland
Display-If-Profile: hardened/linux/powerpc/ppc64/64bit-userland
Display-If-Profile: hardened/linux/uclibc/amd64
Display-If-Profile: hardened/linux/uclibc/arm/armv7a
Display-If-Profile: hardened/linux/uclibc/mips
Display-If-Profile: hardened/linux/uclibc/mips/mipsel
Display-If-Profile: hardened/linux/uclibc/ppc
Display-If-Profile: hardened/linux/uclibc/x86
Display-If-Profile: hardened/linux/x86
Display-If-Profile: hardened/linux/x86/selinux

For many years, the Grsecurity team [1] has been supporting two versions of
their security patches against the Linux kernel, a stable and a testing
version, and Gentoo has made both of these available to our users 
through the

hardened-sources package.  However, on August 26 of this year, the team
announced they would no longer be making the stable version publicly
available, citing trademark infringement by a major embedded systems company
as the reason. [2]  The stable patches are now only available to sponsors of
Grsecurity and can no longer be distributed in Gentoo.  However, the 
team did
assure us that they would continue to release and support the testing 
version

as they have in the past.

What does this means for users of hardened-sources?  Gentoo will continue to
make the testing version available through our hardened-sources package 
but we

will have to drop support for the 3.x series.  In a few days, those ebuilds
will be removed from the tree and you will be required to upgrade to a 4.x
series kernel.  Since the hardened-sources package only installs the kernel
source tree, you can continue using a currently built 3.x series kernel but
bear in mind that we cannot support you, nor will upstream.  Also keep 
in mind

that the 4.x series will not be as reliable as the 3.x series was, so
reporting bugs promptly will be even more important.  Gentoo will 
continue to
work closely with upstream to stay on top of any problems, but be 
prepared for

the occasional "bad" kernel.  The more reporting we receive from our users,
the better we will be able to decide which hardened-sources kernels to mark
stable and which to drop.

Refs.
[1] https://grsecurity.net
[2] https://grsecurity.net/announce.php

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

Re: [gentoo-dev] News Item: Future Support of hardened-sources Kernel

[gentoo-dev] News Item: Future Support of hardened-sources Kernel

5 matches

Site Navigation

Mail list logo

Footer information