Tin Hat

This release includes some minor bug fixes and lots of updates. The kernel was held steady at 2.6.28-r9. The tool chain was upgraded to gcc-4.4.2-r1, glibc-2.11-r1, and binutils-2.20. Over 300 other packages were also upgraded. On the desktop, GNOME was upgraded to 2.26.3 from 2.24.1 and Firefox was upgraded to 3.5.4 from 3.0.14. A new security audit tool, checksec.sh by Tobias Klein, is now included.

This release switches the toolchain to Gentoo's hardened-dev overlay, which includes all of the hardening features of the previous release implemented at the compiler specs level rather than in the make.conf file and other manual hacks. The current toolchain is comprised of binutils-2.18-r3, glibc-2.9_p20081201-r4, and gcc-4.4.1-r2. No changes were made to the kernel, which is held at 2.6.28-hardened-r9. Approximately 125 packages were updated to sync upstream with Gentoo. Important updates include bash, coreutils, python, readline, gtk+, epiphany, and firefox.

This release continues the work of hardening the system libraries and binaries begun in the previous release with little changes to the kernel. The toolchain, composed of binutils-2-18, glibc-2.9, and gcc-4.3.3, was used to compile the system from scratch with the following hardening: -fstack-protector-all for everything (except glibc and evolution, where just -fstack-protect is required); -D_FORTIFY_SOURCE=2; PIC/PIE; and -Wl,-z,now,-z,relro (except for evolution which requires -z,lazy). The project has also been synchronized upstream with Gentoo, updating approximately 90 packages.

This release concentrates primarily on updating the hardened tool chain. No changes were made to the kernel since the last release. The system was recompiled using hardened Gentoo's stock gcc-4.3.3 plus stack-protection. Extensive testing on the new binaries was performed. Many packages were also updated. Major updates include coreutils, util-linux, and xorg-server and its drivers/libs. Firefox was also update to the more secure 3.0.10.

This release addresses many important updates from upstream Hardened Gentoo, including updates to hardened-sources-2.6.28-r7 and glibc-2.8_p20080602-r1. Approximately 130 other packages were also upgraded. Password hashing was switched form MD5 to SHA512. The build system now allows the option of removing some documentation when constructing the ISOs, thus reducing their size by about 100MB, and also reducing the tmpfs RAM usage by about 300MB. Tin Hat is now distributed in full and slimmed down versions for both i686 and amd64 architectures. New themes were introduced.