[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ABI-changing kernel security fixes for sarge

On Wed, Mar 23, 2005 at 01:35:47AM -0800, Steve Langasek wrote:
> RC3 of Debian Installer is already being finalized, with only the CD builds
> to finish up today and tomorrow; the ABI change is being held of testing in
> the meantime.  This leaves the following possible options:
> - Add the security fix in before sarge's release, with a change to the
>   package names to reflect the ABI change.  This will probably require at
>   least a month to get all kernel images rebuilt and integrated into a
>   debian-installer RC4 build, during which time the sarge release would be
>   delayed.

How big is the possiblity that we get a new security fix during that
time that breaks the ABI again? I guess we can play this game a loooong

> - Add the security fix in before sarge's release, without changing the
>   package names.  This may break some third-party kernel modules currently
>   deployed on systems running testing.  No one I've spoken to about this
>   knows of any such modules that are definitely affected, but Andres Salomon
>   has objected to this approach nevertheless.
> - Defer the update until after release, definitely with a change to the
>   package names.  This would be for the security team, the kernel team, and
>   the d-i team to work out the details of; it would almost certainly require
>   a d-i update.

How big is the chance that we will have another ABI change during
sarge's lifetime (100%?). So it can't hurd to figure out the problems
with that now independently of our decision in this matter...

> Since the kernel team is vetoing the idea of silently allowing this small
> ABI change through before release (which was my preference), and we don't
> want to delay the release for another round of d-i/kernel updates, that
> seems to leave a post-release security update as the only other option.  Is
> this acceptable?  I seem to remember that there were some ABI-changing
> updates in woody as well, and now that the kernel team is tracking ABI
> changes, they seem to be common even in security fixes; but I wanted to get
> your input first to be sure, in case you felt this needed to happen before
> release for whatever reason.
> It also seems, according to the latest emails, that the same security fix is
> going to cause an ABI change for the 2.4 kernels.  Doing full updates of
> both 2.4 and 2.6 kernels before release would push my estimate out from 1
> month to 2, based on recent experience.

My experience with the whole kernel stuff is limited so excuse the
question: Where is the bottleneck? Building the kernels, testing the
kernels or whatever else?

Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Reply to: