[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

kernel security update in stable


Yesterday, the package uploaded in stable with
kernel-image-2.4.18-1-i386 as source was, unfortunately, severily
broken (from 586tsc to 686-SMP). 

I understand that a security upgrade cannot wait to pass by unstable
and testing to get into stable. However, everything that could help to
avoid that a crucial package like the kernel get into stable broken
should probably help -- people that run Debian stable don't do it for
the freshness of the packages but definitely because it is, most of
time, the safest system.

I do not know the specifics about the checks being made for security
uploaded packages, tell me if I miss something relevant.

This kernel package was broken because many files were
missing, due to the build process. 
I assume that a security upgrade most of the time does not include or
remove files.  
Wouldn't it be a good and simple idea to give a warning to
the uploader when the build process of a security upgrade resulted in
a notably reduced number of files included in the package?  

For the kernel, would it be feasible that before the package are made
available to the wide public, they got installed with success on, at
least, 2 differents machines. 
Maybe it would be possible to get some people running stable
interested in participating to a security-testing kind of meta-distro
(I would participate if it was existing): they would get stable security
upgrade a little time (1 day?) before it get into stable (maybe even
before the  DSA go public), to help finding out most critical issues
before they get into stable.

That way, critical issue like yesterday's one would probably be
avoided more easily.

Opinions? Not feasible? More work than potential benefits?

I have to say that I got a server that will require manual
intervention due to yesterday broken package (next time, I'll
definitely make a dpkg --listfiles after kernel upgrade), that's a
pain in the ass. It is not a big deal because this machine does not
run any public service, but it's still annoying. 


Mathieu Roy

  | General Homepage:           http://yeupou.coleumes.org/             |
  | Computing Homepage:         http://alberich.coleumes.org/           |
  | Not a native english speaker:                                       |
  |     http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english  |

Reply to: