This is the elog message when enabling the deblog USEflag. * hardened-sources is UNSUPPORTED by Gentoo Security. * This means that it is likely to be vulnerable to recent security issues. * For specific information on why this kernel is unsupported, please read: * http://www.gentoo.org/proj/en/security/kernel.xml The link should be: https://wiki.gentoo.org/wiki/Project:Kernel_Security Also, it normally supported. It seems to be only unsupported when the USE-flag is enabled. This should be mentioned in the message. The eclass contains: # if we're using a deblobbed kernel, it's not supported [[ $K_DEBLOB_AVAILABLE == 1 ]] && use deblob && K_SECURITY_UNSUPPORTED=deblob so the reason for no support is known, the elog should just include $K_SECURITY_UNSUPPORTED.
As for now (2015-07-25), as for subj, your new link (https://wiki.gentoo.org/wiki/Project:Kernel_Security) is not accurate too, because hardened-sources is supported (https://wiki.gentoo.org/wiki/Project:Kernel_Security#Supported_Kernel_Sources) and there is no mentioning at all about deblobbed kernel. So, to make no confuse it must be described another way...
Hardened Team, thoughts?
(In reply to Mike Pagano from comment #2) > Hardened Team, thoughts? get rid of that message. its misleading.
(In reply to Mike Pagano from comment #2) > Hardened Team, thoughts? ping
reping!
Sorry, I need to re-add myself to kernel-misc. Anthony, you want it completely removed?
(In reply to Mike Pagano from comment #6) > Sorry, I need to re-add myself to kernel-misc. Anthony, you want it > completely removed? yes completely remove it. it is supported.
(In reply to Anthony Basile from comment #7) > (In reply to Mike Pagano from comment #6) > > Sorry, I need to re-add myself to kernel-misc. Anthony, you want it > > completely removed? > > yes completely remove it. it is supported. Mike shall I remove it?
Yes, sorry Anthony, I dropped this. Please remove it whenever you like.
(In reply to Mike Pagano from comment #9) > Yes, sorry Anthony, I dropped this. Please remove it whenever you like. Okay I've committed the following. Notice you can still trigger the message by setting K_SECURITY_UNSUPPORTED="any text here" in the ebuild. Realize that this means we're saying that security is supported on *all* USE=deblob kernels, not just hardened-sources. If any particular kernel flavor wants security unsupported for USE=deblob or otherwise, they'll have to set K_SECURITY_UNSUPPORTED themselves. Reopen if there's more to discuss. diff --git a/eclass/kernel-2.eclass b/eclass/kernel-2.eclass index 94231ec..0f47b8c 100644 --- a/eclass/kernel-2.eclass +++ b/eclass/kernel-2.eclass @@ -798,10 +798,13 @@ postinst_sources() { # if we have USE=symlink, then force K_SYMLINK=1 use symlink && K_SYMLINK=1 - # if we're using a deblobbed kernel, it's not supported - [[ $K_DEBLOB_AVAILABLE == 1 ]] && \ - use deblob && \ - K_SECURITY_UNSUPPORTED=deblob + # We do support security on a deblobbed kernel, bug #555878. + # If some particular kernel version doesn't have security + # supported because of USE=deblob or otherwise, one can still + # set K_SECURITY_UNSUPPORTED on a per ebuild basis. + #[[ $K_DEBLOB_AVAILABLE == 1 ]] && \ + # use deblob && \ + # K_SECURITY_UNSUPPORTED=deblob # if we are to forcably symlink, delete it if it already exists first. if [[ ${K_SYMLINK} > 0 ]]; then