The “truth” described here is just a bunch of strutting around claiming that GRSecurity would’ve fixed all of your kernel vulnerabilities and has all of the latest and greatest security features, so why aren’t you using it already? Not that it’s wrong, the security mechanisms included in the patchset do improve the state of the art and prevent intrusions that would otherwise be missed, but for a while I wondered why the improvements weren’t accepted upstream. I can see why now, I wouldn’t want to accept code from someone so angry.
Also, please update your kernels and every other package. That is perfectly fine advice. And I’d be wary of anyone peddling a security product that claims you shouldn’t need to update. Yes, updating has a risk of including new code that might be insecure, but not updating is even riskier.
Yes, updating has a risk of including new code that might be insecure, but not updating is even riskier.
This is an unfair characterization of the post. The post is not objecting to update to Linux 4.5.4, it is specifically objecting to update to Linux 4.6: it’s in the title. Comparison is between Linux 4.5.4 (which includes all security fixes in Linux 4.6) and Linux 4.6, not between Linux 4.5 (which lacks some security fixes) and Linux 4.6. In this context, speaking of risk of new code is entirely justified.
Furthermore, the post is objecting to Linux Foundation’s advice to update to Linux 4.6 because of new security features. Security fixes are both in Linux 4.5.4 and Linux 4.6, but security features are only in Linux 4.6. But these “new” security features are subset of what grsecurity provides, and grsecurity is not yet available for Linux 4.6: being out-of-tree, it takes some time to update. Also, “new” security features will specifically conflict with grsecurity.
So the question is, between Linux 4.6 with “new” security features and Linux 4.5.4 with grsecurity, which is more secure? The post’s answer is Linux 4.5.4 with grsecurity is more secure. (And even unpatched Linux 4.5 with grsecurity is more secure.) You shouldn’t update to Linux 4.6 until grsecurity is updated. In fact, updating to the latest without grsecurity is harmful to security, so you should ignore Linux Foundation’s advice. That’s what the post is trying to say, admittedly badly with lots of rants. I think the post is correct.
It’s kind of dishonest to imply any maliciousness on the part of the Linux Foundation though. Assuming the security features in 4.6 are useful, it’s presumably better to update to 4.6 without grsecurity than staying on 4.5.x without grsecurity. “Update to 4.6 for the best security” is thus perfectly sound advice, and it’s up to the individual person/business to consider whether that’s viable at this time or if there are more important considerations.
It’s also perfectly fine for grsecurity to warn grsecurity users against updating before their product is available for 4.6 of course, but the tone of the article is completely unwarranted.
Note that I’m not arguing against you, as we seem to completely agree, just providing my own opinion on the topic.
GRSec people have been marginalized for over 10 years now. It'a always stuff like “proprietary sas raid modules would break with aslr” and so on. I kind of understand their rage.
At my last workplace my boss told me proudly that the version of Linux on and OpenSSL on our server was so far out of date that none of the new exploits worked on it. He was also “risk averse”, not updating the server or the compilers and libraries that we used because “they might break something”, “they might make the code bigger/slower”, etc.
The “truth” described here is just a bunch of strutting around claiming that GRSecurity would’ve fixed all of your kernel vulnerabilities and has all of the latest and greatest security features, so why aren’t you using it already? Not that it’s wrong, the security mechanisms included in the patchset do improve the state of the art and prevent intrusions that would otherwise be missed, but for a while I wondered why the improvements weren’t accepted upstream. I can see why now, I wouldn’t want to accept code from someone so angry.
Also, please update your kernels and every other package. That is perfectly fine advice. And I’d be wary of anyone peddling a security product that claims you shouldn’t need to update. Yes, updating has a risk of including new code that might be insecure, but not updating is even riskier.
This is an unfair characterization of the post. The post is not objecting to update to Linux 4.5.4, it is specifically objecting to update to Linux 4.6: it’s in the title. Comparison is between Linux 4.5.4 (which includes all security fixes in Linux 4.6) and Linux 4.6, not between Linux 4.5 (which lacks some security fixes) and Linux 4.6. In this context, speaking of risk of new code is entirely justified.
Furthermore, the post is objecting to Linux Foundation’s advice to update to Linux 4.6 because of new security features. Security fixes are both in Linux 4.5.4 and Linux 4.6, but security features are only in Linux 4.6. But these “new” security features are subset of what grsecurity provides, and grsecurity is not yet available for Linux 4.6: being out-of-tree, it takes some time to update. Also, “new” security features will specifically conflict with grsecurity.
So the question is, between Linux 4.6 with “new” security features and Linux 4.5.4 with grsecurity, which is more secure? The post’s answer is Linux 4.5.4 with grsecurity is more secure. (And even unpatched Linux 4.5 with grsecurity is more secure.) You shouldn’t update to Linux 4.6 until grsecurity is updated. In fact, updating to the latest without grsecurity is harmful to security, so you should ignore Linux Foundation’s advice. That’s what the post is trying to say, admittedly badly with lots of rants. I think the post is correct.
It’s kind of dishonest to imply any maliciousness on the part of the Linux Foundation though. Assuming the security features in 4.6 are useful, it’s presumably better to update to 4.6 without grsecurity than staying on 4.5.x without grsecurity. “Update to 4.6 for the best security” is thus perfectly sound advice, and it’s up to the individual person/business to consider whether that’s viable at this time or if there are more important considerations.
It’s also perfectly fine for grsecurity to warn grsecurity users against updating before their product is available for 4.6 of course, but the tone of the article is completely unwarranted.
Note that I’m not arguing against you, as we seem to completely agree, just providing my own opinion on the topic.
From the first paragraph….
Hmm. The linux.com article reads just like a low content non technical press release. Not a “campaign to rewrite history and mislead”.
I think he needs to chill a little and assume “it’s not all about him”.
Personally I think Matthew Garret explained the problem better.
GRSec people have been marginalized for over 10 years now. It'a always stuff like “proprietary sas raid modules would break with aslr” and so on. I kind of understand their rage.
At my last workplace my boss told me proudly that the version of Linux on and OpenSSL on our server was so far out of date that none of the new exploits worked on it. He was also “risk averse”, not updating the server or the compilers and libraries that we used because “they might break something”, “they might make the code bigger/slower”, etc.
This seems to be a rant about how new kernel versions, in addition to fixing old bugs, introduce new ones. That’s not really surprising at all.
[Comment removed by author]
Upgrade treadmill. :)