Re: sarge kernel security transition
dann frazier wrote:
> The ABI/security discussions have left me with a question - at what
> point does security maintenance of our kernels transition from the
> debian-kernel/testing security teams to the Debian security team, and
> how will we interact with one another? I assume there will be some
> overlap, but it might be good to define this transition before it
When security.debian.org has to be used the security team needs to
be in the loop. We need to work together with the kernel maintainers,
though. I believe that this is even more important for the kernel
than for other packages.
> Source Control
> I assume at some point we'll want to branch off our 2.4.27/2.6.8 kernels
> and lock them down for only security changes. I think it would be nice
> to keep our svn repo up to date with the security releases, even if it
> is an after-the-fact svn_load_dirs dump. I assume this would fall to
> the kernel team to maintain, if we choose to do so (versus the security
> team doing the committing).
That should be doable.
> Sarge package vs. latest packages
> When the first security update happens, will the uploaders start with
> whatever is in sarge, or the latest version?
Regular security updates always take care of the version that was released
with the released/frozen Debian distribution. When the kernel is frozen,
that package should probably be used. Until that, a more recent version
can be used as basis, I guess, to be judged by the kernel team.
Updates to the once-released distributions will be based on the
latest version in that particular distribution (here: woody, sarge).
> When sarge happens, its likely there will be pending changes in
> kernel-source in svn, and maybe in sid. Its also possible that some
> kernel-image re-builds may not have propagated into sarge yet. The
> changes here should be mostly security fixes at this point; however
> we've not formally frozen these packages to my knowledge, so this isn't
> guaranteed. Maybe now is the time to do that?
The only stupid question is the unasked one.