Home

Change log

  • 20091003 - This release switches the toolchain to Gentoo's hardened-dev overlay which includes all of the hardening features of the previous release in the compiler specs rather than in make.conf. The current toolchain is comprised of binutils-2.18-r3, glibc-2.9_p20081201-r4, and gcc-4.4.1-r2. The kernel was held at the same version as the previous release.
  • Approximately 125 packages were updated to sync upstream with Gentoo. The following links are the full list of updated packages from the previous release: amd64 and i686. The more noteworthy updates are
    • bash-4.0_p28 from bash-3.2_p39
    • coreutils-7.4 from coreutils-7.1
    • db-4.7.25_p4 from db-4.5.20_p2-r1 and db-4.6.21_p4
    • epiphany-2.26.3-r1 from epiphany-2.24.3-r10
    • file-5.03 from file-4.23
    • gcc-4.4.1-r2 from gcc-4.3.3-r2
    • gtk+-2.16.6 from gtk+-2.14.7-r2
    • mozilla-firefox-3.0.14 from mozilla-firefox-3.0.11
    • python-2.6.2-r1 from python-2.5.4-r3
    • readline-6.0_p3 from readline-5.2_p13
    • unzip-6.0-r1 from unzip-5.52-r2
    • zip-3.0 from zip-2.32-r1



  • 20090727 - This release deepens the hardening of the binaries from the previous release with little changes to the kernel. The toolchain, composed of binutils-2-18, glibc-2.9 and gcc-4.3.3 was used to compile the system from scratch with the following features:
    • -fstack-protector-all - only glibc and evolution were compiled with just -fstack-protector
    • -D_FORTIFY_SOURCE=2
    • -fPIC -fPIE and -pie
    • -Wl,-z,now,-z,relro - only evolution was compiled with -z,lazy
  • Also, approximately 90 packages were updated to sync upstream with Gentoo. The following links are the full list of updates for amd64 and i686. The more noteworthy updates are
    • 2.6.28-hardened-r9 from 2.6.28-hardened-r7
    • glibc-2.9 from glibc-2.8
    • postfix-2.5.7
    • firefox-3.0.11
    • lftp-3.7.14
    • portage-2.1.6.13



  • 20090505 - This release is a complete rebuild from scratch using glibc-2.8 and gcc-4.3.3 with stack-protection and other hardening from upstream. Important updated packages include:
    • coreutils-7.1
    • util-linux-2.14.2
    • gnupg-2.0.11
    • xorg-server-1.5.3-r5 and associated x11-drivers
    • ffmpeg-0.5-r1, gstreamer-0.10.22 and associated libraries and plugins
    • portage-2.1.6.11



  • 20090404 - This release addresses many important updates from upstream, particularly:
    • hardened-sources-2.6.28-r7
    • openssl-0.9.8k
    • openssh-5.2_p1-r1
    • glibc-2.8_p20080602-r1
    • gnupg-2.0.10
    • gnome-2.24.1

    Approximately 130 other packages were also upgraded. The full lists can be seen here: amd64 and i686.

    Password hashing was switched form MD5 to SHA512 with the new glibc.

    The build system now allows the option of removing some documentation, thus reducing the size of the ISOs by about 100MB. We now distribute a full and slimmed down image for both i686 and amd64 architectures.

    New themes for GDM and the Desktop were introduced.



  • 20090309 - This is primarily a maintenance release addressing approximately 90 updates and syncing upstream with hardened Gentoo. Some minor bugfixes to the desktop were made. You can read the full list of updates for amd64 and i686.



  • 20090119 - This release addresses several security issues and bugfixes, and syncs upstream with stable hardened Gentoo. Over 30 packages are upgraded, including the following important updates:
    • hardened-sources-2.6.25-r12
    • bind-tools-9.4.3_p1
    • openssl-0.9.8j
    • e2fsprogs-libs-1.41.3-r1
    • portage-2.1.6.4



  • 20081229 - This release adds major feature improvements in addition to syncing upstream with Gentoo.
    • The boot process was cleaned up: 1) initrd was replaced with intramfs, 2) busybox was downgraded to 1.7.4 and statically compiled against uClibc, 3) mdev is used to dynamically populate /dev rather than statically populating with MAKEDEV, 4) initramfs's init was improved to better locate the squashfs filesystem
    • The build scripts were cleaned up so that "building a new release" and "saving a running system to ISO" are the same process. Tin Hat is no longer built from VMware templates, but from a running system purely in RAM.
    • The iso2usb.sh scripts were stabilized. Booting from pen drive now uses syslinux rather than grub.
    • Over 50 packages upgraded to sync with Gentoo. Kernel is now hardened 2.6.25-r11.
    • Some theme changes to gdm and home directory



  • 20081025 - This is a update release to sync upstream with Gentoo. No new features were added. Important updates include:
    • hardened gentoo kernel 2.6.25-r8
    • gnome 2.22.3
    • postfix 2.5.5



  • 20080830 - Security updates and bugfixes to many packages, syncing upstream with Gentoo. Partial support added for wireless and bluetooth. Support added for RAID, LVM, FUSE and EncFS filesystems.



  • 20080728 - Initial release. Take a look at the Technical Considerations to see what put into Tin Hat to start.



  • 20080727 - Testing build for initial release.