On Fri, Aug 17, 2012 at 11:19 PM, "Tóth Attila" <[email protected]> wrote: > That is exactly what hardened sources package maintainers do. > There's always a tiny time difference between the latest grsecurity patch > showing up on the homepage and the respective kernel ebuild appears.
First, I would like to note that I appreciate very much Anthony's dedication to maintaining hardened-sources. The situation with stabilizing hardened-sources versions, as I see it, is problematic because grsecurity / PaX upstream only supports a couple of kernels they consider stable (currently, 2.6.32 and 3.2), and the very latest kernel as unstable (currently, 3.5). They don't release patches for interim kernels [1]. So the issue with stabilizing those versions (say, 3.4) is moot — the upstream kernel might be stable, but grsecurity / PaX patches are frozen in time. This results in a weird situation if you want, e.g., a stable kernel that's more modern than 3.2, but don't want EFI-related bugs [2] that were fixed by grsecurity after they switched to 3.5 series for testing. Ideally, grsecurity could release patches for each kernel series after latest stable (currently, 3.2), but that would probably require too much resources. [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2980 [2] https://bugs.gentoo.org/428726, https://bugs.gentoo.org/430122 -- Maxim Kammerer Liberté Linux: http://dee.su/liberte
