# choosing server sources: LTS vanilla or (which) hardened?

## SeeksTheMoon

I am still using 3.10 hardened but as this line has been removed from gentoo, I wonder which version I should install instead.

I want a LTS version and it must be newer than 3.10.1, because I don't want to downgrade - but 3.12 is not available as hardened sources, the stable 3.13 reached end of life (and it's latest minor isn't in portage after 3 weeks [hardened]) and 3.14 is the one being worked on right now, so I am actually out of choices.

Wouldn't it be better to use vanilla-sources instead? They provide the most recent version from all longterm (and stable) versions.

How much are the hardened-sources "more secure" by the way? I mean, I read the hardened guide, but most solutions seem to aim at local exploits and the human users on my system are _absolutely_ trustworthy, they won't exploit or damage the system, so I don't need special roles and permissions for them. The only thing left are the system users (e.g. webserver) but I don't serve dynamic content (no webforms, no creepy scripting language software full of exploits etc) and carefully configured the services which should make them as difficult to exploit as possible.

The only thing I had from hardened-sources so far were more configuration complexity (if I don't understand all PaX and SELinux and grsecurity options and settings, won't that make the system even less secure due to misconfiguration?) and less application compatibility (try to run a program using libowfat or STXXL or try boinc if you love crashes).

I read that the current kernel uses address randomization without an external patch and the set of program binaries could still use the hardened toolchain, so I don't see a need for hardened-sources.

I also don't get why the 3.10 line was kicked out. Just because one system might have suspend-wakeup problems? Who uses suspend on a 24/7 server? Nobody, that's who. But even if someone did, there are other kernel versions available. I don't get it.

So if I chose vanilla sources, then I could use version >=3.10.39 without fear of no reboot or new issues (like I had with 3.14.0 on my PC which was incompatible with my graphics card and did not start the system properly; I cannot afford that on my server).

What do you say? Am I missing some point? Which kernel would you use in this case? Or should I wait and observe what happens with the hardened-source releases? So far there is only speculation that grsec will change to 3.13 and even if that were true, I had no guarantee that this version will also become the preferable LTS-like choice for gentoo's hardened-sources like 3.2 seems to be with all 58 minor releases.

I mean, the system is running and I probably should not change it, but having this [D] in eix and 38+ missed minor versions with probably important fixes (like for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196 in the future) sucks pretty much.

----------

## aCOSwt

Well... at first "LTS" has got a meaning restricted to what you can download from kernel.org

Because they are unpatched, the vanilla-sources can be understood inheriting this qualifier.

But "understood" only because : There is no meaning for "LTS" on Gentoo. Gentoo only manage ~arch and arch (also named stable with a different meaning than kernel.org stable) releases.

All other sys-kernel/*-sources are : patched.

Of course, as soon as you patch a kernel, you lose upstream's support. => Whatever *-sources (other than vanilla) release, cannot formally be said "LTS", would it belong to the 3.4/3.10/3.12 branches.

So, if you say : "I want a LTS version" and mean it stricto sensu then the answer to your question is immediate : Opt for the vanilla-sources as there is simply no other *-sources "LTS"

----------

## SeeksTheMoon

Thanks for the answer. As I wrote that I want to use an LTS release, I was actually not focussing on the support part but on the longterm part because it makes my life easier to stay with a version that just works.

So I want to use a kernel series which won't change except for backporting and bugfixing.

The problem with hardened sources is, that there is no current hardened-source corresponding to a vanilla LTS in gentoo (except the old 3.2 version) and it seems that I am required to guess which version that could be in the future or always stay up to date with the hardened version that corresponds to the current stable vanilla version. I don't like those choices very much but I am not sure what I am going to lose if I switch over to vanilla.

----------

## aCOSwt

 *SeeksTheMoon wrote:*   

> The problem with hardened sources is, that there is no current hardened-source corresponding to a vanilla LTS in gentoo (except the old 3.2 version) and it seems that I am required to guess which version that could be in the future or always stay up to date with the hardened version that corresponds to the current stable vanilla version.

 

Guessing might not be the best solution indeed and... you are not required to guess actually.

I would first try to contact the Project:Hardened team via their email or irc channel in order to understand what their plans are.

----------

## petlab

About hardened sources:  you can use security features that only apply to the kernel, however much of what is there works in concert with a hardened userland.

Consider that not all packages work well or compile well for a hardened userland.  It is a pretty big subject, so you could start by reading about which hardened features work only in the areas you are thinking about.  I know, that's really vague.

Try reading http://en.wikipedia.org/wiki/Hardened_Gentoo this wikipedia article for an overview.  You'll see that most of those subjects deal with a corresponding userland part.  That could help you decide -vanilla or -hardened.

----------

## Hu

Modern hardened userland is quite reliable.  There are a few packages where ebuilds apply specific workarounds that reduce the hardening in order to avoid breakage, but you can run hardened userland with minimal personal intervention.

----------

## Rad

 *SeeksTheMoon wrote:*   

> because it makes my life easier to stay with a version that just works

 

Maybe you're doing something more complex / specific than me, but it has been quite a long time since I had a release kernel that didn't just work.

 *SeeksTheMoon wrote:*   

> So I want to use a kernel series which won't change except for backporting and bugfixing.

 

How about you check out one of the "longterm" kernels from kernel.org upstream, with git?

----------

## krinn

LTS mean you can have a kernel version that will get update with patch and security fix for a long time ; this doesn't mean you will run that kernel for a longer time than other kernels. As soon a patch/security fix is out, it doesn't matter if your kernel is LTS or not, you must build and run the newer version to have the patches effective.

Having an LTS mean you can keep it for a longtime making sure a binary driver for 3.1.0 will remain compatible with it, but you won't run that 3.1 longer than non LTS kernel, you will need to update to 3.1.1 as soon as security fix is out.

LTS only grant a longer life time of a kernel version, this doesn't allow you to not update that branch any longer than non LTS kernel.

So your answer is : use latest hardened kernel as it ease your life because as soon as a fix is out, portage will download the newer version and you then know you must upgrade to that new version. If you don't upgrade to it, there's no difference if your kernel is LTS or not ; the breach is there and will remain until you've update your kernel.

----------

