Bug#550379: closed by Bastian Blank <waldi@debian.org> (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)

[Michael S Gilbert <michael.s.gilbert@gmail.com>]

On Sat, 10 Oct 2009 03:03:06 +0200 Bastian Blank wrote:

> On Fri, Oct 09, 2009 at 05:49:13PM -0400, Michael Gilbert wrote:
> > > On Fri, Oct 09, 2009 at 02:04:20PM -0400, Michael Gilbert wrote:
> > >> the linux-kbuild-2.6 source package includes portions of code from the
> > >> linux-2.6 source package (i.e. everything in ./kbuild/*).  this is bad
> > >> in terms of security support because it causes more work for the
> > >> security team and increases the risk of errors, omissions, and mistakes.
> > > No, it does not. It is a different source package and both are derived
> > > from the same upstream code. 
> > two different source packages with portions being the same code are
> > considered a case of an embedded code copy; which is generally
> > considered bad practice from a security perspective.
> 
> Well, please start with every source using autoconf then. autoconf
> embeds copies of a large amount of source code snippets in the targets.
> This have about the same practical relevance and use then the code we
> are talking about.

automatically generated code (a la autoconf) is not a concern for the
security team.  however, the kbuild code copy is not computer generated;
it consists of human-created perl, c, and shell scripts.

> > >> less significant, but also important, is that since the kbuild package
> > >> is separated from the linux package, the kbuild packages always lag by
> > >> weeks or months after a new kernel release; making it impossible to
> > >> build modules for that new kernel.
> > >> the recommended course of action is to update the linux-2.6 source
> > >> package to also build the kbuild binaries.  thanks.
> > > This is not possible for other reasons.
> > what are these reasons, and why do they seem so insurmountable?
> 
> They are backed by §4 Social Contract. 

i don't see the connection between the social contract and your
requirement to keep the kbuild source package separate from the
kernel source package.  after all, both packages are in main, so from a
social perspective, there is nothing preventing them from being merged.

> To be exact, it is part of the cross-compile support in the
> linux packages. And yes, this is heavily used.

ok, i already know the purpose of the kbuild package, and i already had
the feeling that it was indeed used quite a bit.  i had no intention of
calling either of these facts into question.  i don't see how these
statements relevant to the discussion.

mike