Re: Please upload signed kernel images at the same time as unsigned ones

To: Arto Jantunen <viiru@debian.org>
Cc: "Rhonda D'Vine" <debian-backports@lists.debian.org>
Subject: Re: Please upload signed kernel images at the same time as unsigned ones
From: Julien Aubin <julien.aubin@gmail.com>
Date: Tue, 17 Jan 2017 15:10:40 +0100
Message-id: <[🔎] CAB=k8WKbmBwE3pf9F-_oyB4Etf0yYfBR5c1ZKY51kTJ=xCXaKQ@mail.gmail.com>
In-reply-to: <[🔎] CAB=k8W+XUCU0Bo2-StTTdy4XLj0+=W9wOXOGZNVUMGXVX8_3+g@mail.gmail.com>
References: <CAB=k8W+FU2UMp08S3tyVz7hx9H5ae2ANKusC3xn6m=-M+qJ0Ww@mail.gmail.com> <CAB=k8W+5wFGf2XXwnidsN+L8cQ6uXK3VWUTtAdbm7w+tHfZ=DA@mail.gmail.com> <CAB=k8W+YtRC3TBXe5bhKzkkMe87Dgy=xxvkHqNxDvsL6pxwo1w@mail.gmail.com> <CAB=k8W+ETh4-rgTXicNQmhDVEAKR4O6iMrv5MmD=j-whS22byg@mail.gmail.com> <CAB=k8WK6eEvb6F_fy1wEVr6PRd2HU0tgjyuK2cabaQ0jgJKjtg@mail.gmail.com> <CAB=k8WJLdh6sXBFev_qtpnmU-UmTPzSucci3uVH9rx+3703gvQ@mail.gmail.com> <CAB=k8WKODd=AB9tW9xg29ADVv64UPENDijCpekdEyWi82CarKg@mail.gmail.com> <CAB=k8WJdqbP44cL4WL2Yesd7TyMvcw5aGaVrc4O8KeSQYtk1OQ@mail.gmail.com> <CAB=k8WKv=bbWE+K-4modxTeDxiHCyeA9Fqz3LxcRd3t7PEAWVw@mail.gmail.com> <[🔎] CAB=k8WKv-bMW-SZndFiVERcRpBZ87MVvfv5npxadY+8b=cr_ZQ@mail.gmail.com> <[🔎] 87a8apu7nq.fsf@iki.fi> <[🔎] CAB=k8W+XUCU0Bo2-StTTdy4XLj0+=W9wOXOGZNVUMGXVX8_3+g@mail.gmail.com>

... or even better : the unsigned image is the default image (ends with -amd64) and the signed image (ends with -amd64-signed) provides the kernel unsigned package

Le 17 janv. 2017 15:06, "Julien Aubin" <julien.aubin@gmail.com> a écrit :

Okay but in that case could you please shorten the delay from a week as currently to several hours ?

Le 17 janv. 2017 14:40, "Arto Jantunen" <viiru@debian.org> a écrit :
Julien Aubin <julien.aubin@gmail.com> writes:
> Signed linux kernel images tend to become the default as package
> linux-latest is updated when linux-signed is updated.
>
> The problem is that when there are security fixes like the ones for kernel
> 4.8.x the unsigned images are pushed well before signed images, putting
> most of the users (w/ default config) at security risk.
>
> So could you please publish both signed and unsigned kernels at the same
> time ? (As of now 4.8.15)

No, we cannot. The unsigned image is used to create the signed image,
thus the unsigned image needs to be in the archive before the signed
image can be created.

I assume there is a separate plan in place for security updates to
stable.

--
Arto Jantunen

Reply to:

Follow-Ups:
- Re: Please upload signed kernel images at the same time as unsigned ones
  - From: Thorsten Glaser <t.glaser@tarent.de>

References:
- Please upload signed kernel images at the same time as unsigned ones
  - From: Julien Aubin <julien.aubin@gmail.com>
- Re: Please upload signed kernel images at the same time as unsigned ones
  - From: Arto Jantunen <viiru@debian.org>
- Re: Please upload signed kernel images at the same time as unsigned ones
  - From: Julien Aubin <julien.aubin@gmail.com>

Prev by Date: Re: Please upload signed kernel images at the same time as unsigned ones
Next by Date: Please provide linux-image-amd64-unsigned et al. metapackages (was Re: Please upload signed kernel images at the same time as unsigned ones)
Previous by thread: Re: Please upload signed kernel images at the same time as unsigned ones
Next by thread: Re: Please upload signed kernel images at the same time as unsigned ones
Index(es):
- Date
- Thread