Re: ABI-changing kernel security fixes for sarge
On Wed, Mar 23, 2005 at 11:33:05AM +0100, Martin Schulze wrote:
> Horms wrote:
> > Hi,
> > I am finally nearing the bottom of my todo list for the
> > up and coming release of kernel-source-2.4.27 2.4.27-9.
> > And to date, the only ABI change I have is for CAN-2005-0449,
> > as per my mail yesterday.
> > http://lists.debian.org/debian-boot/2005/03/msg00689.html
> > To the best of my knowledge 2.6.8 is in the same position -
> > I worked with Andres Salomon on the fix that went in there,
> > and the fix that was pulled out, and they are the
> > same fixes as for 2.4.27.
> > I am quite comfortable with doing a post-sarge security update
> > for this if the d-i team feels this is the best approach.
> > Though it is a remote exploit, and that needs to be
> > taken into due consideration.
> We need to discuss how to handle security updates that impose ABI
> changes anyway. The current situation in woody is not acceptable
> for sarge.
> That is, new package names, and due to the abi change the updates
> can't make it into woody.
> We'd need at least a list of module packages that we need to
> recompile when a kernel update changes the ABI and all the
> modules become void.
> This also means that we need to be able to rebuild modules from
> their corresponding source package.
Notice that enabling auto-NEW for such abi-changes will speed up this process
considerably, but i was told a whinner for even suggesting such, and bashed
Alos, please find someone else for building the powerpc 2.6.8 and 2.4.27
security updates as i will most certainly not do that anymore.