Hi everyone,
So by now most people have heard the news that the Grsecurity/PaX team
are no longer going to be making their stable patches available. The
reason is that they are in dispute with a certain embedded systems
vendor and those negotiations broke down. So they decided to make their
stable patches only available to the sponsors. [1]
What does this mean for Gentoo? Up until now I have been maintaining
both the grsec upstream stable and testing patchsets in our
hardened-sources. Currently the upstream stable kernels are 3.2.71 and
3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and
3.14.51 patchsets will no longer be available and I'll continue pushing
out the 4.1.6. Unfortunately the testing patchset is precisely as the
name suggests --- for testing and not production. For the embedded
systems company this will be the kiss of death because those patches are
not suitable for long term. For Gentoo it will mean that I will have to
be more vigilant about bugs and trying to stick with a well known kernel
before moving on. You can still use these kernels in production, but
you must be carefull about instabilities as upstream pushes out
experimental feature that may oops or panic. Keep older kernel images
around and revert if it doesn't work. Look to this list for
announcements about more serious issues like things that can cause data
loss.
I'm hoping that once this company feels the sting of what has just
happened, they'll come back to the table and talk with Grsec/PaX people.
They won't be able to ship boards with grsec anymore because its not so
easy to switch out a kernel on a board! If they ship a board with a
bug, they loose. We just reboot :)
[1] https://grsecurity.net/
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
