[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux 2.0.36 in slink?

On Thu, Dec 17, 1998 at 09:22:25PM -0800, Joseph Carter wrote:
> On Thu, Dec 17, 1998 at 09:02:52PM -0800, Oscar Levi wrote:
> > > You seem to be confusing a bug that crashes the kernel and a security hole
> > > that may crash the kernel, or allow access to private info, or anything
> > > else. A security hole can be reproduced at will by an attacker, without a
> > > great deal of difficulty.
> > 
> > Is it correct that this security hole requires login access to the
> > computer?  If an attack can be perpetrated from anywhere on the
> > internet to an internet connected computer, then it is clear that the
> > hole in 2.0.35 has a high probability of exploitation since a large
> > percentage GNU/Linux systems are Internet connected.  If the attack
> > requires access to a user account on the machine, then the exploit is
> > overrated.  It is all in the interpretation of 'great deal of
> > difficulty.'
> The 2.0.36 kernel fixes DoS situations, yes this means anywhere on the
> Internet usually.

It is apparent that an Internet accessible exploit is an unacceptable
'feature' to release.

> > > Yes. It's worth a delay to fix any security hole. Debian must not ship with
> > > known security holes. Quality is our priority, we have never sacrificed
> > > quality for marketing concerns.
> > 
> > Let's let the security issue pass.  It isn't important.  I agree we
> > should upgrade.  Now, at this point is it worth shipping slink?  By
> > the time we get around to gel'ing it, the packages will be out of
> > date.  Some already are.  
> LET THE SECURITY ISSUE PASS?!?  This would be a really, really bad idea. 
> 2.0.35 has remote DoS exploits possible!  Either the fixes need to be
> backported or we need up upgrade.  Slink is going to need to be postponed
> until January at least as it is, the extra time to make sure a new stable
> kernel works is probably not going to add any delay to slink, and if it
> does the delay will be insignificant.

I think you misread me.  I said to let it pass becacause it isn't
worth discussing it.  We need to upgrade for many reasons, and so we
will, right?

> > Software release is time-critical.  No matter how hard you beat the
> > quality drum, the distribution that can ship often will show the best.
> > RedHat has shipped several buggy distributions in the 5.x series.  I
> > just tried to install 5.2 and found a nest of problems.  Unpleasant as
> > it is, users can only choose a distribution that ships.  Hamm is out
> > of the running and the competition is fierce.  They shiped with bugs
> > that requires 30MB of updates.  But they shipped...and people use it.
> We're better than that aren't we?  Isn't that why most of us are Debian
> users and many became Debian developers--because Redhat's rushed and
> buggy releases are frustrating at the very least and because we felt we
> could do better than that?

Perhaps we have gone too far the other way?  RedHat is
frustrating...and so is Debian.  Have you've missed the dissent among
Debian attempters?  

I believe we'll get there.  I'm not writing these messages to
criticise and the duck back into a cozy job.  I'm unemployed, for now.
%^)  So, I spend time coding GPL programs and fixing bugs where I find


Reply to: