summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRepository QA checks <repo-qa-checks@gentoo.org>2017-08-19 10:43:56 +0000
committerRepository QA checks <repo-qa-checks@gentoo.org>2017-08-19 10:43:56 +0000
commitc28864bee2e64b672ce0b94bd7cff79b17045198 (patch)
tree36a162b4e505c745378a5a434683256b04d8c6fe
parentMerge updates from master (diff)
parentAdd news item regarding sys-kernel/hardened-sources removal (diff)
downloadgentoo-c28864bee2e64b672ce0b94bd7cff79b17045198.tar.gz
gentoo-c28864bee2e64b672ce0b94bd7cff79b17045198.tar.bz2
gentoo-c28864bee2e64b672ce0b94bd7cff79b17045198.zip
Merge commit 'd60f588c48ad20781829f8b6772a581bacd7c854'
-rw-r--r--metadata/news/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt52
-rw-r--r--metadata/news/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt.asc16
2 files changed, 68 insertions, 0 deletions
diff --git a/metadata/news/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt b/metadata/news/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt
new file mode 100644
index 000000000000..86687a1c1bf6
--- /dev/null
+++ b/metadata/news/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt
@@ -0,0 +1,52 @@
+Title: sys-kernel/hardened-sources removal
+Author: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
+Posted: 2017-08-19
+Revision: 4
+News-Item-Format: 2.0
+Display-If-Installed: sys-kernel/hardened-sources
+Display-If-Profile: hardened/linux/*
+
+As you may know the core of sys-kernel/hardened-sources have been the
+grsecurity patches.
+
+Sadly, their developers have stopped making these patches freely
+available [1]. This is a full stop of any public updates and not only
+stable ones as was announced two years ago[2].
+
+As a result, the Gentoo Hardened team is unable to keep providing
+further updates of the patches, and although the hardened-sources have
+proved (when using a hardened toolchain) being resistant against
+certain attacks like the stack guard page jump techniques proposed by
+Stack Clash, we can't ensure a regular patching schedule and therefore,
+the security of the users of these kernel sources.
+
+Because of that we will be masking the hardened-sources on the 27th of
+August and will proceed to remove them from the tree by the end of
+September. Obviously, we will reinstate the package again if the
+developers decide to make their patches publicly available again.
+
+Our recommendation is that users should consider using instead
+sys-kernel/gentoo-sources.
+
+As an alternative, for users happy keeping themselves on the stable
+4.9 branch of the kernel; minipli, another grsecurity user, is forward
+porting the patches on [3].
+
+Strcat from Copperhead OS is making his own version of the patches
+forward ported to the latest version of the Linux tree at [4].
+
+The Gentoo Hardened team can't make any statement regarding the
+security, reliability or update availability of either those patches
+as we aren't providing them and can't therefore make any
+recommendation regarding their use.
+
+We'd like to note that all the userspace hardening and MAC support
+for SELinux provided by Gentoo Hardened will still remain there and
+is unaffected by this removal. Also, all PaX related packages other
+than the hardened-sources will remain for the time being.
+
+[1] https://grsecurity.net/passing_the_baton.php
+[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
+hardened-sources-kernel.html
+[3] https://github.com/minipli/linux-unofficial_grsec
+[4] https://github.com/copperhead/linux-hardened \ No newline at end of file
diff --git a/metadata/news/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt.asc b/metadata/news/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt.asc
new file mode 100644
index 000000000000..ad2011db8192
--- /dev/null
+++ b/metadata/news/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIyBAABCgAcBQJZmBFHFRxrbG9uZGlrZUBrbG9uZGlrZS5lcwAKCRD0vdLv6P94
++ZfWD/0b9xjYz5qQJ2aOfvuE1744tYeEPq8HytR+h1phU2KNEvOIvnOKUTuhZ+2k
+ZB6JGzOJN9ub3pOOikVDOMYLyQbCYpQGZYukWOZNVCQ8BbtGHHfkiOEFqaETJlKi
+HzCrGDAgZsLhlHeceSkLogn6zYkaklAC7RJ3PqCTC7qARH4PVT9JLMjB5HHLOULm
+dT7NEJfPmQgw6amx3SDPyqyBiKfU1+UCc5cGx7jevXAAPtvxSDWiuccO01fDxZ5M
+NNGO6mkjPOlqXgOmPnw1dIJDz3auWPR3UmZw4uMaMz+KR4PfJqv18sSln89f1TuF
+HUZ23v7wO+Ly8y3s0psjmQKvxD9XFRaHbTi4RBkhHCgFotJ8TtL9bpLSq7m+07s7
+pYBlNCdiuJH3+pc2/KJ1Pp8qyNXPcAy4miqT62lPtn6xkSqrNGRKgUahgtuMDL+N
+LSY5kzDrRH9TfZhn9K3uapwvDThG/OhTrCJY7fTlHzhXRR2OwOZVpNvc+xyvprsD
+mLRJ2LLfOb5NZdL2lk4MUZXOYimmX02s+rngBh/GGD0E1SjgJz2zPHgCsoTuGZk8
+87coPwcpdMwQZFjB33du14y+Qrl4ayMxH9ViyVGbUsglEImC+nfNxb1u493WSzee
+2CG2ZrCfv5t9O/XlotYQoD0fAGAsZzmCPayJro6/8O95MHENww==
+=tQru
+-----END PGP SIGNATURE-----