[gentoo-commits] data/gentoo-news:master commit in: 2017-08-19-hardened-sources-removal/

["Francisco Blas Izquierdo Riera" <klondike@gentoo.org>]

commit:     d60f588c48ad20781829f8b6772a581bacd7c854
Author:     Francisco Blas Izquierdo Riera (klondike) <klondike <AT> klondike <DOT> es>
AuthorDate: Sat Aug 19 10:23:31 2017 +0000
Commit:     Francisco Blas Izquierdo Riera <klondike <AT> gentoo <DOT> org>
CommitDate: Sat Aug 19 10:23:31 2017 +0000
URL:        https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=d60f588c

Add news item regarding sys-kernel/hardened-sources removal

 .../2017-08-19-hardened-sources-removal.en.txt     | 52 ++++++++++++++++++++++
 .../2017-08-19-hardened-sources-removal.en.txt.asc | 16 +++++++
 2 files changed, 68 insertions(+)

diff --git a/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt b/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt
new file mode 100644
index 0000000..86687a1
--- /dev/null
+++ b/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt
@@ -0,0 +1,52 @@
+Title: sys-kernel/hardened-sources removal
+Author: Francisco Blas Izquierdo Riera <klondike@gentoo.org>
+Posted: 2017-08-19
+Revision: 4
+News-Item-Format: 2.0
+Display-If-Installed: sys-kernel/hardened-sources
+Display-If-Profile: hardened/linux/*
+
+As you may know the core of sys-kernel/hardened-sources have been the
+grsecurity patches.
+
+Sadly, their developers have stopped making these patches freely
+available [1]. This is a full stop of any public updates and not only
+stable ones as was announced two years ago[2].
+
+As a result, the Gentoo Hardened team is unable to keep providing
+further updates of the patches, and although the hardened-sources have
+proved (when using a hardened toolchain) being resistant against
+certain attacks like the stack guard page jump techniques proposed by
+Stack Clash, we can't ensure a regular patching schedule and therefore,
+the security of the users of these kernel sources.
+
+Because of that we will be masking the hardened-sources on the 27th of
+August and will proceed to remove them from the tree by the end of
+September. Obviously, we will reinstate the package again if the
+developers decide to make their patches publicly available again.
+
+Our recommendation is that users should consider using instead
+sys-kernel/gentoo-sources.
+
+As an alternative, for users happy keeping themselves on the stable
+4.9 branch of the kernel; minipli, another grsecurity user, is forward
+porting the patches on [3].
+
+Strcat from Copperhead OS is making his own version of the patches
+forward ported to the latest version of the Linux tree at [4].
+
+The Gentoo Hardened team can't make any statement regarding the
+security, reliability or update availability of either those patches
+as we aren't providing them and can't therefore make any
+recommendation regarding their use.
+
+We'd like to note that all the userspace hardening and MAC support
+for SELinux provided by Gentoo Hardened will still remain there and
+is unaffected by this removal. Also, all PaX related packages other
+than the hardened-sources will remain for the time being.
+
+[1] https://grsecurity.net/passing_the_baton.php
+[2] https://www.gentoo.org/support/news-items/2015-10-21-future-support-of-
+hardened-sources-kernel.html
+[3] https://github.com/minipli/linux-unofficial_grsec
+[4] https://github.com/copperhead/linux-hardened
\ No newline at end of file

diff --git a/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt.asc b/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt.asc
new file mode 100644
index 0000000..ad2011d
--- /dev/null
+++ b/2017-08-19-hardened-sources-removal/2017-08-19-hardened-sources-removal.en.txt.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIyBAABCgAcBQJZmBFHFRxrbG9uZGlrZUBrbG9uZGlrZS5lcwAKCRD0vdLv6P94
++ZfWD/0b9xjYz5qQJ2aOfvuE1744tYeEPq8HytR+h1phU2KNEvOIvnOKUTuhZ+2k
+ZB6JGzOJN9ub3pOOikVDOMYLyQbCYpQGZYukWOZNVCQ8BbtGHHfkiOEFqaETJlKi
+HzCrGDAgZsLhlHeceSkLogn6zYkaklAC7RJ3PqCTC7qARH4PVT9JLMjB5HHLOULm
+dT7NEJfPmQgw6amx3SDPyqyBiKfU1+UCc5cGx7jevXAAPtvxSDWiuccO01fDxZ5M
+NNGO6mkjPOlqXgOmPnw1dIJDz3auWPR3UmZw4uMaMz+KR4PfJqv18sSln89f1TuF
+HUZ23v7wO+Ly8y3s0psjmQKvxD9XFRaHbTi4RBkhHCgFotJ8TtL9bpLSq7m+07s7
+pYBlNCdiuJH3+pc2/KJ1Pp8qyNXPcAy4miqT62lPtn6xkSqrNGRKgUahgtuMDL+N
+LSY5kzDrRH9TfZhn9K3uapwvDThG/OhTrCJY7fTlHzhXRR2OwOZVpNvc+xyvprsD
+mLRJ2LLfOb5NZdL2lk4MUZXOYimmX02s+rngBh/GGD0E1SjgJz2zPHgCsoTuGZk8
+87coPwcpdMwQZFjB33du14y+Qrl4ayMxH9ViyVGbUsglEImC+nfNxb1u493WSzee
+2CG2ZrCfv5t9O/XlotYQoD0fAGAsZzmCPayJro6/8O95MHENww==
+=tQru
+-----END PGP SIGNATURE-----