[gentoo-hardened] The state of grsecurity in gentoo

["Anthony G. Basile" <basile@opensource.dyc.edu>]

Hi everyone,

So by now most people have heard the news that the Grsecurity/PaX team 
are no longer going to be making their stable patches available.  The 
reason is that they are in dispute with a certain embedded systems 
vendor and those negotiations broke down.  So they decided to make their 
stable patches only available to the sponsors. [1]

What does this mean for Gentoo?  Up until now I have been maintaining 
both the grsec upstream stable and testing patchsets in our 
hardened-sources.  Currently the upstream stable kernels are 3.2.71 and 
3.14.51 and the testing are 4.1.6.  In about one week, the 3.2.71 and 
3.14.51 patchsets will no longer be available and I'll continue pushing 
out the 4.1.6.  Unfortunately the testing patchset is precisely as the 
name suggests --- for testing and not production.  For the embedded 
systems company this will be the kiss of death because those patches are 
not suitable for long term.  For Gentoo it will mean that I will have to 
be more vigilant about bugs and trying to stick with a well known kernel 
before moving on.  You can still use these kernels in production, but 
you must be carefull about instabilities as upstream pushes out 
experimental feature that may oops or panic.  Keep older kernel images 
around and revert if it doesn't work.  Look to this list for 
announcements about more serious issues like things that can cause data 
loss.

I'm hoping that once this company feels the sting of what has just 
happened, they'll come back to the table and talk with Grsec/PaX people.
They won't be able to ship boards with grsec anymore because its not so 
easy to switch out a kernel on a board!  If they ship a board with a 
bug, they loose.  We just reboot :)

[1] https://grsecurity.net/

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197