From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1O3zTC-0005BU-AT for garchives@archives.gentoo.org; Mon, 19 Apr 2010 22:29:34 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 492D4E0A5E; Mon, 19 Apr 2010 22:27:49 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 0CC10E0A5E for ; Mon, 19 Apr 2010 22:27:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 283821B4030 for ; Mon, 19 Apr 2010 22:27:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.362 X-Spam-Level: X-Spam-Status: No, score=-2.362 required=5.5 tests=[AWL=0.237, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCcYzwhomDb1 for ; Mon, 19 Apr 2010 22:27:41 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by smtp.gentoo.org (Postfix) with ESMTP id 0A06D1B4078 for ; Mon, 19 Apr 2010 22:27:40 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1O3zRH-00054Q-PQ for gentoo-hardened@gentoo.org; Tue, 20 Apr 2010 00:27:35 +0200 Received: from 93-97-192-207.zone5.bethere.co.uk ([93.97.192.207]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 20 Apr 2010 00:27:35 +0200 Received: from kerframil by 93-97-192-207.zone5.bethere.co.uk with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 20 Apr 2010 00:27:35 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-hardened@lists.gentoo.org connect(): No such file or directory From: Kerin Millar Subject: [gentoo-hardened] Re: kernel no longer in hardened-development overlay? Date: Mon, 19 Apr 2010 23:27:21 +0100 Message-ID: References: <4BCC8AA3.4030506@pcdesk.net> <4BCC8FE7.8050606@wildgooses.com> <4BCCA18C.60600@orlitzky.com> <4BCCB2D4.5040503@topphemmelig.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 93-97-192-207.zone5.bethere.co.uk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.2pre) Gecko/20100302 Lanikai/3.1b1 In-Reply-To: <4BCCB2D4.5040503@topphemmelig.net> X-Archives-Salt: 958bd67f-a2ec-4584-8fa6-0f1732cb2e11 X-Archives-Hash: 528b502018b964e5745f357e34fd5e59 On 19/04/2010 20:45, David Sommerseth wrote: [snip] > Yes, you are right. But still ... it's now closer to one year *without* > any updates for the stable kernel. Which means, compiling the latest > upstream 2.6.33.2 kernel might be a lot safer, than the 2.6.28-r9 which > is marked stable now. > > As a comparison, Red Hat comes regularly with security fixes to their > kernels, some RHEL based kernels almost have an update with security > fixes every month. Of course you can blame it on the amount of > resources and equipment available for testing. On the other hand RHEL > do backport patches from newer kernels to older kernels (to maintain > certifications) with (mostly) security fixes. That do take a lot of > manpower to manage. Anyhow, being able to release a new kernel for a > "stable marked" as RHEL aims at, containing security fixes, tells > something about the amount of vulnerabilities found in the kernel. > > But, the hardened-sources really touches the nerve now in regards to > what I feel is safe. The PaX patches do provide some extra security > which not many else have. But still ... I am not as confident with > Hardened Gentoo as I once was. I honestly think that the hardened > sources now are more vulnerable than gentoo-sources, just because of the > age of the kernel. Granted, gentoo-sources do not have the PaX patch > set, but it is still fresher with more CVE and other security fixes than > what the current stable hardened-sources do have. > > Fair enough, the Gentoo portage kernels do add some fixes which is not > in upstream yet ... but that's only valid when the kernel is not as old > as this one. > > I have no problem accepting if the Hardened team withdraws the current > hardened-sources. It will most probably create a lot more noise for > some time. But the current situation is unsustainable, in my honest > opinion. In fact, it would be a more honest approach if the Hardened > team withdraw the sources - giving advises to which stable kernel to run > instead or which approach to take to get a better solution. > > The only reason I do not switch kernel yet (or distro), is that I still > have a hope that a newer kernel is just around the corner. But my hope > is fading... and lately faster than earlier. > +1 insightful. I wholeheartedly concur. Cheers, --Kerin