Re: Linux 2.0.36 in slink?
On Thu, Dec 17, 1998 at 09:22:25PM -0800, Joseph Carter wrote:
> On Thu, Dec 17, 1998 at 09:02:52PM -0800, Oscar Levi wrote:
> > > You seem to be confusing a bug that crashes the kernel and a security hole
> > > that may crash the kernel, or allow access to private info, or anything
> > > else. A security hole can be reproduced at will by an attacker, without a
> > > great deal of difficulty.
> >
> > Is it correct that this security hole requires login access to the
> > computer? If an attack can be perpetrated from anywhere on the
> > internet to an internet connected computer, then it is clear that the
> > hole in 2.0.35 has a high probability of exploitation since a large
> > percentage GNU/Linux systems are Internet connected. If the attack
> > requires access to a user account on the machine, then the exploit is
> > overrated. It is all in the interpretation of 'great deal of
> > difficulty.'
>
> The 2.0.36 kernel fixes DoS situations, yes this means anywhere on the
> Internet usually.
It is apparent that an Internet accessible exploit is an unacceptable
'feature' to release.
> > > Yes. It's worth a delay to fix any security hole. Debian must not ship with
> > > known security holes. Quality is our priority, we have never sacrificed
> > > quality for marketing concerns.
> >
> > Let's let the security issue pass. It isn't important. I agree we
> > should upgrade. Now, at this point is it worth shipping slink? By
> > the time we get around to gel'ing it, the packages will be out of
> > date. Some already are.
>
> LET THE SECURITY ISSUE PASS?!? This would be a really, really bad idea.
> 2.0.35 has remote DoS exploits possible! Either the fixes need to be
> backported or we need up upgrade. Slink is going to need to be postponed
> until January at least as it is, the extra time to make sure a new stable
> kernel works is probably not going to add any delay to slink, and if it
> does the delay will be insignificant.
I think you misread me. I said to let it pass becacause it isn't
worth discussing it. We need to upgrade for many reasons, and so we
will, right?
> > Software release is time-critical. No matter how hard you beat the
> > quality drum, the distribution that can ship often will show the best.
> > RedHat has shipped several buggy distributions in the 5.x series. I
> > just tried to install 5.2 and found a nest of problems. Unpleasant as
> > it is, users can only choose a distribution that ships. Hamm is out
> > of the running and the competition is fierce. They shiped with bugs
> > that requires 30MB of updates. But they shipped...and people use it.
>
> We're better than that aren't we? Isn't that why most of us are Debian
> users and many became Debian developers--because Redhat's rushed and
> buggy releases are frustrating at the very least and because we felt we
> could do better than that?
Perhaps we have gone too far the other way? RedHat is
frustrating...and so is Debian. Have you've missed the dissent among
Debian attempters?
I believe we'll get there. I'm not writing these messages to
criticise and the duck back into a cozy job. I'm unemployed, for now.
%^) So, I spend time coding GPL programs and fixing bugs where I find
them.
Cheers.
Reply to: