Change log

  • 20130228 - The hardened toolchain and kernel were updated to
    • gcc-4.6.3
    • glibc-2.15-r3
    • binutils-2.22-r1
    • hardened-sources-3.7.5-r1 = vanilla-3.7.5 + genpatches-3.7-7 + grsecurity-2.9.1-3.7.5-201301311811
  • Over 400 packages were upgraded.



  • 20121015 - The hardened toolchain and kernel were updated to
    • gcc-4.5.4
    • glibc-2.15-r2
    • binutils-2.22-r1
    • hardened-sources-3.2.30-r3 =vanilla-3.2.30 + genpatches-3.2-16 + grsecurity-2.9.1-3.2.30-201210071704
  • Approximately 240 packages were updated. The following links shows a full list : amd64 and i686.




  • 20120625 - The hardened kernel was updated to 3.2. branch. The hardened toolchain was updated to:
    • gcc-4.5.3-r2
    • glibc-2.14.1-r1
    • binutils-2.22-r1
    • hardened-sources-3.2.0 = vanilla 3.2.20 + genpatches-3.2-15 + grsecurity-2.9.1-3.2.20-201206171957
  • Approximately 260 packages were updated and 20 were added. The following links shows a full list of the upgraded packages: amd64 and i686.




  • 20111107 - The hardened kernel was updated to 3.0. branch. The hardened toolchain was updated:
    • gcc-4.5.3-r1
    • glibc-2.12.2
    • binutils-2.21.1-r1
    • hardened-sources-3.0.4-r5 = vanilla 3.0.4 + genpatches-3.0-7 + grsecurity-2.2.2-3.0.4-201110080819
  • Approximately 295 packages were updated and 30 were added. The following links shows a full list of the upgraded packages: amd64 and i686.




  • 20110613 - The hardened kernel was updated to 2.6.38 branch for greater stability. The hardened toolchain was updated:
    • gcc-4.4.5
    • glibc-2.12.2
    • binutils-2.20.1-r1 (unchanged)
    • hardened-sources-2.6.38-r6 = vanilla 2.6.38.7 + genpatches-2.6.38-7 + grsecurity-2.2.2-2.6.38.7-201105222331
  • Approximately 380 packages were updated and 20 were removed. The following links shows a full list of the upgraded packages: amd64 and i686.




  • 20101219 - The hardened toolchain was updated. The kernel was reverted to 2.6.32 branch for greater stability.
    • gcc-4.4.4-r2 remains the same
    • glibc-2.11.2-r3
    • binutils-2.20.1-r1remains the same
    • hardened-sources-2.6.32-r31 = vanilla 2.6.32.27 + genpatches-2.6.32-29 + grsecurity-2.2.1-2.6.32.27-201012130740.
  • Approximately 120 packages were updated and 20 more added. The following links shows a full list of the upgraded packages: amd64 and i686.




  • 20100901 - The hardened toolchain and kernel were updated:
    • gcc-4.4.4-r2 remains the same
    • glibc-2.11.2
    • binutils-2.20.1-r1 remains the same
    • hardened-sources-2.6.34-r2 = vanilla 2.6.34.4 + grsec-2.2.0-2.6.34.4-201008131840
  • Important updates include gnome-2.30.2and firefox-3.6.8. The following links shows a full list of the upgraded packages: amd64 and i686.




  • 20100601 - The hardened toolchain and kernel were updated:
    • gcc-4.4.4-r2
    • glibc-2.11.1
    • binutils-2.20.1-r1
    • hardened-sources-2.6.32-r7 = 2.6.32.13 + grsec-2.1.14-2.6.32.13-201005151340
  • Approximately 250 packages also updated, the most important of which were gnome-2.28.2 and firefox-3.6.3. The following links shows a full list of the upgraded packages: amd64 and i686.




  • 20100219 - The hardened toolchain was partially updated:
    • gcc-4.4.3-r1 from gcc-4.4.2-r1
    • glibc was held steady at glibc-2.11-r1
    • binuitls was held steady at binutils-2.20
  • Approximately 70 packages were updated to sync upstream with Gentoo. These were primarily small security updates and bugfixes. The following links are the full list of updated packages from the previous release: amd64 and i686.




  • 20091218 - This is primarily a maintenance release. The hardened toolchain was updated:
    • gcc-4.4.2-r1 from gcc-4.4.1-r2
    • glibc-2.11-r1 from glibc-2.9_p20081201-r4
    • binutils-2.20 from binutils-2.18-r3
  • The following links are the full list of updated packages from the previous release: amd64 and i686. Important package upgrades include:
    • bash-4.0_p35 from bash-4.0_p28
    • coreutils-7.5-r1 from coreutils-7.4
    • gnome-2.26.3 from gnome-2.24.1
    • mozilla-firefox-3.5.4 from mozilla-firefox-3.0.14
    • openssl-0.9.8l-r2 from openssl-0.9.8k
    • postfix-2.6.5 from postfix-2.5.7
    • python-2.6.4 from python-2.6.2-r1
    • seahorse-2.26.2 from seahorse-2.22.3
    • squashfs-tools-3.4 from squashfs-tools-3.3
    • util-linux-2.16.1 from util-linux-2.14.2
    • xorg-server-1.6.5-r1 from xorg-server-1.5.3-r6
  • A security audit tool written by Tobias Klein, called checksec.sh, was added to test running processes or binaries for relro, ssp, nx, pie, aslr. See his blog at www.trapkit.de.




  • 20091003 - This release switches the toolchain to Gentoo's hardened-dev overlay which includes all of the hardening features of the previous release in the compiler specs rather than in make.conf. The current toolchain is comprised of binutils-2.18-r3, glibc-2.9_p20081201-r4, and gcc-4.4.1-r2. The kernel was held at the same version as the previous release.

  • Approximately 125 packages were updated to sync upstream with Gentoo. The following links are the full list of updated packages from the previous release: amd64 and i686. The more noteworthy updates are
    • bash-4.0_p28 from bash-3.2_p39
    • coreutils-7.4 from coreutils-7.1
    • db-4.7.25_p4 from db-4.5.20_p2-r1 and db-4.6.21_p4
    • epiphany-2.26.3-r1 from epiphany-2.24.3-r10
    • file-5.03 from file-4.23
    • gcc-4.4.1-r2 from gcc-4.3.3-r2
    • gtk+-2.16.6 from gtk+-2.14.7-r2
    • mozilla-firefox-3.0.14 from mozilla-firefox-3.0.11
    • python-2.6.2-r1 from python-2.5.4-r3
    • readline-6.0_p3 from readline-5.2_p13
    • unzip-6.0-r1 from unzip-5.52-r2
    • zip-3.0 from zip-2.32-r1




  • 20090727 - This release deepens the hardening of the binaries from the previous release with little changes to the kernel. The toolchain, composed of binutils-2-18, glibc-2.9 and gcc-4.3.3 was used to compile the system from scratch with the following features:
    • -fstack-protector-all - only glibc and evolution were compiled with just -fstack-protector
    • -D_FORTIFY_SOURCE=2
    • -fPIC -fPIE and -pie
    • -Wl,-z,now,-z,relro - only evolution was compiled with -z,lazy
  • Also, approximately 90 packages were updated to sync upstream with Gentoo. The following links are the full list of updates for amd64 and i686. The more noteworthy updates are
    • 2.6.28-hardened-r9 from 2.6.28-hardened-r7
    • glibc-2.9 from glibc-2.8
    • postfix-2.5.7
    • firefox-3.0.11
    • lftp-3.7.14
    • portage-2.1.6.13




  • 20090505 - This release is a complete rebuild from scratch using glibc-2.8 and gcc-4.3.3 with stack-protection and other hardening from upstream. Important updated packages include:
    • coreutils-7.1
    • util-linux-2.14.2
    • gnupg-2.0.11
    • xorg-server-1.5.3-r5 and associated x11-drivers
    • ffmpeg-0.5-r1, gstreamer-0.10.22 and associated libraries and plugins
    • portage-2.1.6.11




  • 20090404 - This release addresses many important updates from upstream, particularly:
    • hardened-sources-2.6.28-r7
    • openssl-0.9.8k
    • openssh-5.2_p1-r1
    • glibc-2.8_p20080602-r1
    • gnupg-2.0.10
    • gnome-2.24.1

    Approximately 130 other packages were also upgraded. The full lists can be seen here: amd64 and i686.

    Password hashing was switched form MD5 to SHA512 with the new glibc.

    The build system now allows the option of removing some documentation, thus reducing the size of the ISOs by about 100MB. We now distribute a full and slimmed down image for both i686 and amd64 architectures.

    New themes for GDM and the Desktop were introduced.




  • 20090309 - This is primarily a maintenance release addressing approximately 90 updates and syncing upstream with hardened Gentoo. Some minor bugfixes to the desktop were made. You can read the full list of updates for amd64 and i686.



  • 20090119 - This release addresses several security issues and bugfixes, and syncs upstream with stable hardened Gentoo. Over 30 packages are upgraded, including the following important updates:
    • hardened-sources-2.6.25-r12
    • bind-tools-9.4.3_p1
    • openssl-0.9.8j
    • e2fsprogs-libs-1.41.3-r1
    • portage-2.1.6.4




  • 20081229 - This release adds major feature improvements in addition to syncing upstream with Gentoo.
    • The boot process was cleaned up: 1) initrd was replaced with intramfs, 2) busybox was downgraded to 1.7.4 and statically compiled against uClibc, 3) mdev is used to dynamically populate /dev rather than statically populating with MAKEDEV, 4) initramfs's init was improved to better locate the squashfs filesystem
    • The build scripts were cleaned up so that "building a new release" and "saving a running system to ISO" are the same process. Tin Hat is no longer built from VMware templates, but from a running system purely in RAM.
    • The iso2usb.sh scripts were stabilized. Booting from pen drive now uses syslinux rather than grub.
    • Over 50 packages upgraded to sync with Gentoo. Kernel is now hardened 2.6.25-r11.
    • Some theme changes to gdm and home directory




  • 20081025 - This is a update release to sync upstream with Gentoo. No new features were added. Important updates include:
    • hardened gentoo kernel 2.6.25-r8
    • gnome 2.22.3
    • postfix 2.5.5



  • 20080830 - Security updates and bugfixes to many packages, syncing upstream with Gentoo. Partial support added for wireless and bluetooth. Support added for RAID, LVM, FUSE and EncFS filesystems.



  • 20080728 - Initial release. Take a look at the Technical Considerations to see what put into Tin Hat to start.



  • 20080727 - Testing build for initial release.