[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ABI-changing kernel security fixes for sarge

Hi Joey,

As I touched on briefly on IRC, there is an upcoming kernel security fix
that requires a bit of discussion.  It appears that one of the security
fixes that was included in kernel-source-2.6.8 2.6.8-14 (and backed out, at
least temporarily, in 2.6.8-15), changes the kernel module ABI for a very
small portion of the network stack.

RC3 of Debian Installer is already being finalized, with only the CD builds
to finish up today and tomorrow; the ABI change is being held of testing in
the meantime.  This leaves the following possible options:

- Add the security fix in before sarge's release, with a change to the
  package names to reflect the ABI change.  This will probably require at
  least a month to get all kernel images rebuilt and integrated into a
  debian-installer RC4 build, during which time the sarge release would be
- Add the security fix in before sarge's release, without changing the
  package names.  This may break some third-party kernel modules currently
  deployed on systems running testing.  No one I've spoken to about this
  knows of any such modules that are definitely affected, but Andres Salomon
  has objected to this approach nevertheless.
- Defer the update until after release, definitely with a change to the
  package names.  This would be for the security team, the kernel team, and
  the d-i team to work out the details of; it would almost certainly require
  a d-i update.

Since the kernel team is vetoing the idea of silently allowing this small
ABI change through before release (which was my preference), and we don't
want to delay the release for another round of d-i/kernel updates, that
seems to leave a post-release security update as the only other option.  Is
this acceptable?  I seem to remember that there were some ABI-changing
updates in woody as well, and now that the kernel team is tracking ABI
changes, they seem to be common even in security fixes; but I wanted to get
your input first to be sure, in case you felt this needed to happen before
release for whatever reason.

It also seems, according to the latest emails, that the same security fix is
going to cause an ABI change for the 2.4 kernels.  Doing full updates of
both 2.4 and 2.6 kernels before release would push my estimate out from 1
month to 2, based on recent experience.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: