Re: ABI-changing kernel security fixes for sarge
On Wed, Mar 23, 2005 at 03:13:32PM -0500, Andres Salomon wrote:
> OTOH, I have hardware that's already not supported by sarge (VIA video
> chipset that's only supported by xorg). As much as the security team is
> loathe to support multiple kernels, it does seem like having multiple
> kernels in d-i is the safest way to support this sort of thing. We get
> this for free in sarge, by having 2.4 and 2.6 kernels. In the future, it
> might be worth having multiple 2.6 kernels, or decoupling drivers from
> core kernel stuff (core kernel stuff is generally fairly easy to see
> regressions in, so there's no need to have multiple version of that).
What about building module specific packages, which divert the broken modules
and replace them. This would even upto a point work for remote vulnerabilities
limited to modules in d-i, as it would be easier to supply those .udebs prior
to getting online or enabling the vulnerable module.
Do you have an idea whta proportion of security issues involve modules, and
not the core part as you put above ?