[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please upload signed kernel images at the same time as unsigned ones

What made me react was the presence of 3 CVE rated 7.2 which means they are critical.

I did not mind for the rest of the update honestly

Le 23 janv. 2017 07:22, "Julien Aubin" <julien.aubin@gmail.com> a écrit :
Thanks for the uploads.

I just mean security fixes. Not other ones. You make a great work on Debian but security issues would ruin that work.

Thanks again and sorry for the sometimes aggressive attitude.

Le 23 janv. 2017 06:09, "Ben Hutchings" <ben@decadent.org.uk> a écrit :
On Tue, 2017-01-17 at 21:05 +0100, Julien Aubin wrote:
> Check kernel 4.7 history for example (I noticed it in BPO, but also in
> testing). In BPO each time we had the issue we had to wait for one entire
> week between the two releases.
>
> Here you have the upload dates :
> http://ftp.us.debian.org/debian/pool/main/l/linux/
> http://ftp.us.debian.org/debian/pool/main/l/linux-signed/
>
> The best examples I have around are for BPO, but I saw such issues also w/
> testing.

linux and linux-signed propragate to testing *at the same time*.

> For example for kernel 4.7 :

Let's not just take examples, let's look at the timestamps for all the
linux/linux-signed source packages we've uploaded to jessie-backports
from 4.7 onward:

linux (4.8.15-2~bpo8+2)   Tue, 17 Jan 2017 20:18:03 +0000
linux-signed (3.4~bpo8+1) Wed, 18 Jan 2017 15:26:22 +0000

linux (4.8.15-2~bpo8+1)   Fri, 13 Jan 2017 17:03:39 +0100
- binary uploads rejected, so nothing to sign

linux (4.8.11-1~bpo8+1)   Wed, 14 Dec 2016 15:47:42 +0000
linux-signed (3.3~bpo8+2) Sat, 17 Dec 2016 15:07:31 +0000

linux (4.7.8-1~bpo8+1)    Wed, 19 Oct 2016 19:47:42 +0100
linux-signed (2.8~bpo8+1) Sat, 22 Oct 2016 13:01:02 +0100

linux (4.7.6-1~bpo8+1)    Wed, 19 Oct 2016 11:41:53 +0200
- superseded the same day, so not signed

linux (4.7.5-1~bpo8+2)    Sat, 01 Oct 2016 20:52:46 +0100
linux-signed (2.6~bpo8+2) Thu, 06 Oct 2016 21:19:54 +0100

linux (4.7.5-1~bpo8+1)    Fri, 30 Sep 2016 21:55:24 +0200
linux-signed (2.6~bpo8+1) Tue, 04 Oct 2016 02:59:54 +0100

linux (4.7.2-1~bpo8+1)    Wed, 07 Sep 2016 19:59:14 +0200
- never signed

Yes, we dropped the ball on that first upload - it never got signed at
all.  But since then the delay has been at worst 5 days and most
recently <1 day.

(NEW processing and buildd backlogs may also add a delay beyond what
you see in the changelod dates.)

And if you insist you want fixes a.s.a.p. you should be using unstable
rather than waiting for the (usually) 5+ days for updates to hit
testing and additional time for backports.  (The most urgent updates
can be uploaded to backports sooner, but I've seen no sign that you
actually checked the urgency of any issues.)

Ben.

--
Ben Hutchings
Hoare's Law of Large Problems:
        Inside every large problem is a small problem struggling to get
out.
Reply to: