Bug#550379: closed by Bastian Blank <waldi@debian.org> (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Fri, 09 Oct 2009 21:09:06 +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the linux-kbuild-2.6 package:
> 
> #550379: linux-kbulid-2.6: embeds linux-2.6
> 
> It has been closed by Bastian Blank <waldi@debian.org>.
>
> On Fri, Oct 09, 2009 at 02:04:20PM -0400, Michael Gilbert wrote:
>> the linux-kbuild-2.6 source package includes portions of code from the
>> linux-2.6 source package (i.e. everything in ./kbuild/*).  this is bad
>> in terms of security support because it causes more work for the
>> security team and increases the risk of errors, omissions, and mistakes.
>
> No, it does not. It is a different source package and both are derived
> from the same upstream code. 

two different source packages with portions being the same code are
considered a case of an embedded code copy; which is generally
considered bad practice from a security perspective.

> Also security support for the kernel is solely done by the team itself.

i am acutely aware of this, and you could be making life easier for
yourself (or more accurately for Dann Frazier since he is the primary
kernel-sec contributor).

>> less significant, but also important, is that since the kbuild package
>> is separated from the linux package, the kbuild packages always lag by
>> weeks or months after a new kernel release; making it impossible to
>> build modules for that new kernel.
>> the recommended course of action is to update the linux-2.6 source
>> package to also build the kbuild binaries.  thanks.
>
> This is not possible for other reasons.

what are these reasons, and why do they seem so insurmountable?

mike