Passing the Baton: FAQ

April 26, 2017

When will this happen?

This change is effective today, April 26th 2017. Public test patches have been removed from the download area. 4.9 was specifically chosen as the last public release as being the latest upstream LTS kernel will help ease the community transition.

Why are you doing this?

We have been providing grsecurity freely for 16 years. Given renewed interest in security by the Linux community, we are opening our playground for newcomers to experiment with new ideas. We believe our future will be shaped by the next generation and this will provide them with the experience needed to improve Linux kernel security.

Why are you really doing this?

We want to focus our efforts on the next generation of security defenses. Data-only attacks are the last remaining holdout for memory corruption exploitation and are even more important for the security of the kernel itself. As always, we plan to stay well ahead of the exploitation curve, so we will be tackling the vector holistically, building on top of the strong security guarantees provided by RAP, our best-in-breed defense against code reuse attacks.

What about PaX?

As this is a joint decision, there will be no public PaX patches for future kernels. This is effective April 26th 2017.

What new technologies are you working on?

ARM64, mobile/Android, RAP for stable kernels, KERNSEAL, STRUCTGUARD, and other next-generation defenses against data-only attacks. We will occasionally provide updates on these advances via our blog.

I am a grsecurity -stable customer, how does this affect me?

Services for existing customers remain unaffected. All active customers were sent advance notice of this announcement with all necessary information.

My business depends on the -test kernel patches, what now?

We recommend you become a grsecurity commercial subscriber. Subscribers may opt-in to gain access to our -beta patches which track the latest kernel releases. Please contact Open Source Security Inc.

I do not want to spend money, what alternatives are there?

Unfortunately, in contrast to Microsoft's post-Windows XP Trustworthy Computing initiative which drastically changed its security trajectory, the Linux community at large has failed to invest adequately in security over the past two decades. Partially due to this, there is no direct alternative to grsecurity or even any option that provides a substantial fraction of grsecurity's features or overall benefits.

This feature matrix shows the differences between existing Linux kernel security technologies.

Can the old patches still be used?

Of course. The GPLv2 license grsecurity is provided under gives all users the ability to continue using, modifying, and redistributing the code present in grsecurity. We will not however maintain an archive of old patches on our website.

Can I continue to use the name grsecurity?

grsecurity® is a registered trademark by Open Source Security Inc. We will continue to use it in our official work. We ask that any community-based ports or additions to the last public official grsecurity patch not use the grsecurity trademark. Replacing the "grsec" uname addition, removing the grsecurity boot logo from the patch, and removing "grsec" from associated package names at minimum will make this easier and avoid confusion. All copyright and license notices must remain intact as required by the GPL.

Who is Open Source Security Inc.?

Open Source Security Inc. is the company behind grsecurity. Initially founded in Virginia in 2008, we re-incorporated in Pennsylvania in 2015. We have been working on grsecurity continuously since 2001 and bring the results of our years of experience in Linux kernel security to benefit our customers through grsecurity patch subscriptions, professional support, and custom security development work. Our team has been responsible for most of the effective security defenses in use today on any OS.

Our announcement may be viewed here.