* Matthew Thode schrieb am 03.09.15 um 21:46 Uhr: > On 09/03/2015 02:28 PM, Marc Schiffbauer wrote: > > * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr: > >> Hi everyone, > >> > >> So by now most people have heard the news that the Grsecurity/PaX team > >> are no longer going to be making their stable patches available. The > >> reason is that they are in dispute with a certain embedded systems > >> vendor and those negotiations broke down. So they decided to make their > >> stable patches only available to the sponsors. [1] > >> > >> What does this mean for Gentoo? Up until now I have been maintaining > >> both the grsec upstream stable and testing patchsets in our > >> hardened-sources. Currently the upstream stable kernels are 3.2.71 and > >> 3.14.51 and the testing are 4.1.6. In about one week, the 3.2.71 and > >> 3.14.51 patchsets will no longer be available and I'll continue pushing > >> out the 4.1.6. Unfortunately the testing patchset is precisely as the > >> name suggests --- for testing and not production. For the embedded > >> systems company this will be the kiss of death because those patches are > >> not suitable for long term. For Gentoo it will mean that I will have to > >> be more vigilant about bugs and trying to stick with a well known kernel > >> before moving on. You can still use these kernels in production, but > >> you must be carefull about instabilities as upstream pushes out > >> experimental feature that may oops or panic. Keep older kernel images > >> around and revert if it doesn't work. Look to this list for > >> announcements about more serious issues like things that can cause data > >> loss. > >> > >> I'm hoping that once this company feels the sting of what has just > >> happened, they'll come back to the table and talk with Grsec/PaX people. > >> They won't be able to ship boards with grsec anymore because its not so > >> easy to switch out a kernel on a board! If they ship a board with a > >> bug, they loose. We just reboot :) > >> > >> [1] https://grsecurity.net/ > > > > Can't Gentoo be a sponsor? I think we could easly croudfund a > > sponsorship. > > > > This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just > > use the gentoo kernel if they not already did so. > > > > Thoughts? > > > We can't do that because it would make the LTS patches public, which > spender is trying to avoid.
True and what I wanted to say with the OTOH part. But doesn't this apply
to any sponsor? I mean we are talking about GPL'ed Software... does the
GPL permit to distribute source under some kind of NDA?
I fully respect their decision but I hope things will be back to normal
again soon.
-Marc
>
--
0x35A64134 - 8AAC 5F46 83B4 DB70 8317
3723 296C 6CCA 35A6 4134
signature.asc
Description: Digital signature
