Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 555878 - kernel-2.eclass - Unsupported message is unclear and link is wrong
Summary: kernel-2.eclass - Unsupported message is unclear and link is wrong
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Eclasses (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Miscellaneous
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-25 15:19 UTC by Jason Zaman
Modified: 2015-10-09 12:25 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Zaman gentoo-dev 2015-07-25 15:19:15 UTC
This is the elog message when enabling the deblog USEflag.

 * hardened-sources is UNSUPPORTED by Gentoo Security.
 * This means that it is likely to be vulnerable to recent security issues.
 * For specific information on why this kernel is unsupported, please read:
 * http://www.gentoo.org/proj/en/security/kernel.xml

The link should be: https://wiki.gentoo.org/wiki/Project:Kernel_Security

Also, it normally supported. It seems to be only unsupported when the USE-flag is enabled. This should be mentioned in the message.

The eclass contains:
# if we're using a deblobbed kernel, it's not supported
[[ $K_DEBLOB_AVAILABLE == 1 ]] && use deblob && K_SECURITY_UNSUPPORTED=deblob

so the reason for no support is known, the elog should just include $K_SECURITY_UNSUPPORTED.
Comment 1 Andrey Aleksandrovich 2015-07-25 16:20:17 UTC
As for now (2015-07-25), as for subj, your new link (https://wiki.gentoo.org/wiki/Project:Kernel_Security) is not accurate too, because hardened-sources is supported (https://wiki.gentoo.org/wiki/Project:Kernel_Security#Supported_Kernel_Sources) and there is no mentioning at all about deblobbed kernel.
So, to make no confuse it must be described another way...
Comment 2 Mike Pagano gentoo-dev 2015-07-26 19:12:05 UTC
Hardened Team, thoughts?
Comment 3 Anthony Basile gentoo-dev 2015-08-06 10:40:43 UTC
(In reply to Mike Pagano from comment #2)
> Hardened Team, thoughts?

get rid of that message.  its misleading.
Comment 4 Anthony Basile gentoo-dev 2015-08-19 10:45:58 UTC
(In reply to Mike Pagano from comment #2)
> Hardened Team, thoughts?

ping
Comment 5 Anthony Basile gentoo-dev 2015-08-27 11:21:28 UTC
reping!
Comment 6 Mike Pagano gentoo-dev 2015-09-02 14:05:38 UTC
Sorry, I need to re-add myself to kernel-misc. Anthony, you want it completely removed?
Comment 7 Anthony Basile gentoo-dev 2015-09-04 09:50:03 UTC
(In reply to Mike Pagano from comment #6)
> Sorry, I need to re-add myself to kernel-misc. Anthony, you want it
> completely removed?

yes completely remove it.  it is supported.
Comment 8 Anthony Basile gentoo-dev 2015-10-09 09:26:22 UTC
(In reply to Anthony Basile from comment #7)
> (In reply to Mike Pagano from comment #6)
> > Sorry, I need to re-add myself to kernel-misc. Anthony, you want it
> > completely removed?
> 
> yes completely remove it.  it is supported.

Mike shall I remove it?
Comment 9 Mike Pagano gentoo-dev 2015-10-09 10:10:56 UTC
Yes, sorry Anthony, I dropped this. Please remove it whenever you like.
Comment 10 Anthony Basile gentoo-dev 2015-10-09 12:25:06 UTC
(In reply to Mike Pagano from comment #9)
> Yes, sorry Anthony, I dropped this. Please remove it whenever you like.

Okay I've committed the following.  Notice you can still trigger the message by setting K_SECURITY_UNSUPPORTED="any text here" in the ebuild.  Realize that this means we're saying that security is supported on *all* USE=deblob kernels, not just hardened-sources.  If any particular kernel flavor wants security unsupported for USE=deblob or otherwise, they'll have to set K_SECURITY_UNSUPPORTED themselves.

Reopen if there's more to discuss.


diff --git a/eclass/kernel-2.eclass b/eclass/kernel-2.eclass
index 94231ec..0f47b8c 100644
--- a/eclass/kernel-2.eclass
+++ b/eclass/kernel-2.eclass
@@ -798,10 +798,13 @@ postinst_sources() {
        # if we have USE=symlink, then force K_SYMLINK=1
        use symlink && K_SYMLINK=1
 
-       # if we're using a deblobbed kernel, it's not supported
-       [[ $K_DEBLOB_AVAILABLE == 1 ]] && \
-               use deblob && \
-               K_SECURITY_UNSUPPORTED=deblob
+       # We do support security on a deblobbed kernel, bug #555878.
+       # If some particular kernel version doesn't have security
+       # supported because of USE=deblob or otherwise, one can still
+       # set K_SECURITY_UNSUPPORTED on a per ebuild basis.
+       #[[ $K_DEBLOB_AVAILABLE == 1 ]] && \
+       #       use deblob && \
+       #       K_SECURITY_UNSUPPORTED=deblob
 
        # if we are to forcably symlink, delete it if it already exists first.
        if [[ ${K_SYMLINK} > 0 ]]; then