From now on, only the testing branch of grsecurity will be supported.
Additionally, use only patches from upstream.
It's impossible to provide meaningful support for grsecurity stable.
First, because building and testing \(m \times n \times z) [1], packages
is infeasible. Second, because stable patches are only available from
upstream for-pay, making us reliant on third-parties for patches. In
addition to creating yet more work for the maintainers, using stable
patches provided by a third-party goes against the wishes of upstream.
nixpkgs provides the tools necessary to build grsecurity kernels for any
version the user chooses, however, provided they pay for, or otherwise
acquire, the patch themselves.
Eventually, we'll want to remove the now obsolete top-level attributes,
but leave them in for now to smoothe migration (they have been removed
from top-level/release.nix, though, because it makes no sense to have
them there).
[1]: where \(m\) is the number of grsecurity flavors, \(n\) is the
number of kernel versions, and z is the size of the `linuxPackages` set
The last release was in May 2012 with many fixes hitting git since then.
Also open-iscsi has broken out the open-isns part as extra library, so
we have that as new dependency.
It is deprecated doesn't handle compressed modules, unlike its modern
counterpart kmod.
Add a compatibility alias to kmod for now in case someone is depending
on this in their scripts.
Extracting headers from a grsecurity patched kernel triggers additional
build steps that require gcc plugins. For this to work, we'd need to
add gmp, libmpfr, and libmpc to the build inputs as well as run `make
prepare` before installing the headers (lest the build fail due to
missing files).
Out-of-tree modules use kernel.dev and user space should use the Linux
API headers used to build libc, not headers extracted from random
kernels, so fixing this for grsecurity is pointless.
