grsecurity forums

[m0dY]

Hello,

May be this question has been already asked before but i would like to know why is the latest released stable version of the grsecurity patch is about 1 years' old ?.

Also if i am asked to use the latest test patch will it be stable enough for an enterprise box ? means have it gone under any sort of testing toward reliability and usability ?

Hope you clear the shade

[Hal9000]

Yeah, if running an old kernel with stable grsec patch is less secure than running a new kernel with a test patch, i sense something is wrong in the grsec philosophy... a little bit scary if you ask me...
On the other side, i know 2.6 keeps changing and it's a mess to keep up with, but when I want to run a secure production box I hate to make compromises...

[m0dY]

Well,

I think the best to answer this is one of the devs which might clear up what's exactly they tend to do by this, I doubt there's a reason releasing test patches without issuing one as stable so there must be something foggy here...

[PaX Team]

May be this question has been already asked before but i would like to know why is the latest released stable version of the grsecurity patch is about 1 years' old ?.

it comes up every now and then . first, there're two grsec series maintained in sync (for 2.4 and 2.6) and unless both are 'ready', we won't make a stable release for just one. as you can guess, the one holding up such a release has been 2.6 due to its development model and our lack of resources to keep up with it properly. add to this that we would not like to declare something stable while we know of outstanding bugs in it (be that in our code or in vanilla itself but manifesting under grsec only) and you can see how we ended up in the current situation.

Also if i am asked to use the latest test patch will it be stable enough for an enterprise box ? means have it gone under any sort of testing toward reliability and usability ?

i will pass on the judgement whether 2.6 itself is suitable for an enterprise box (and you know what vendor kernels are for, right? hobby projects like ours are not 'enterprise' in any sense of the word, even if we trust them more ourselves), so i assume you wanted to know whether or to what extent grsec makes the situation worse/better. as far as i know, most things work save for a few bugs in both PaX and grsec that we're tracking down but are having a hard time as they manifest only on certain configurations (read: we can't reproduce and hence debug them easily).

[m0dY]

Hello,

Thanks for the explaining reply, however i have a direct question in mind, for 2.6 kernel, is it good to run grsecurity-2.1.10-2.6.19.2-200701222307.patch.gz rather than grsecurity-2.1.11-2.6.23.9-200712101800.patch considering that the first is the stable grsecurity patch for an old kernel and the second is the test patch for a near date kernel version from the point of stability and quality !

[PaX Team]

Thanks for the explaining reply, however i have a direct question in mind, for 2.6 kernel, is it good to run grsecurity-2.1.10-2.6.19.2-200701222307.patch.gz rather than grsecurity-2.1.11-2.6.23.9-200712101800.patch considering that the first is the stable grsecurity patch for an old kernel and the second is the test patch for a near date kernel version from the point of stability and quality !

i think this has been answered as well already but here it is again: we only support the LATEST 2.6 kernel we have a patch for, that is, bugs reported against older kernels won't be fixed unless reproduced on the last kernel as well (and most problems have of course been fixed already but there's always one or two that keeps us from declaring it 'stable'). this is the reason we do NOT at all recommend using anything older and therefore not make these older patches available (this would be the answer for others seeking these patches every now and then). don't misunderstand us, this is not a situation we like, but we don't have much of choice short of abandoning the whole project altogether.