Re: kernel security update in stable

To: Mathieu Roy <yeupou@coleumes.org>
Cc: Debian Developers List <debian-devel@lists.debian.org>
Subject: Re: kernel security update in stable
From: Martin Schulze <joey@infodrom.org>
Date: Mon, 19 Apr 2004 11:07:28 +0200
Message-id: <[🔎] 20040419090728.GA28565@finlandia.infodrom.north.de>
In-reply-to: <[🔎] m3vfk11qxp.fsf@wotan.attique.in>
References: <[🔎] m3vfk11qxp.fsf@wotan.attique.in>

Mathieu Roy wrote:
> Yesterday, the package uploaded in stable with
> kernel-image-2.4.18-1-i386 as source was, unfortunately, severily
> broken (from 586tsc to 686-SMP). 

I'm sorry for this mess caused by me.  I've fixed it as soon as I
could (compiling takes a while for all those packages from one
source).

So the baseline is: This problem is fixed.

> I do not know the specifics about the checks being made for security
> uploaded packages, tell me if I miss something relevant.

We do our best to test the packages.  The other kernels were
test-booted by their respective port maintainers, this one wasn't,
unfortunately, so the problem wasn't recognised in time.

> I assume that a security upgrade most of the time does not include or
> remove files.  

True.  There are only a few exceptions.

> Wouldn't it be a good and simple idea to give a warning to
> the uploader when the build process of a security upgrade resulted in
> a notably reduced number of files included in the package?  

Yes.  I'll be more utilised to run debdiff before uploading.

> For the kernel, would it be feasible that before the package are made
> available to the wide public, they got installed with success on, at
> least, 2 differents machines.

Well, in general yes.  The other kernels were test-booted.

The problem may be to find somebody who has (a) the correct
architecture, (b) runs the proper system on it, i.e. woody, and (c)
does not run a production system he may not take down for 10 minutes.
This caused a problem for one architecture already where the
maintainers didn't have stable on their systems anymore and the kernel
won't work with unstable.

> Opinions? Not feasible? More work than potential benefits?

Partially it is more work than benefits.

> I have to say that I got a server that will require manual
> intervention due to yesterday broken package (next time, I'll
> definitely make a dpkg --listfiles after kernel upgrade), that's a
> pain in the ass. It is not a big deal because this machine does not
> run any public service, but it's still annoying. 

You can simplify this by installing debdiff and wdiff.  Just for your
information.

Regards,

	Joey

-- 
Life is too short to run proprietary software.  -- Bdale Garbee

Please always Cc to me when replying to me on the lists.

Reply to:

Follow-Ups:
- Re: kernel security update in stable
  - From: Mathieu Roy <yeupou@coleumes.org>

References:
- kernel security update in stable
  - From: Mathieu Roy <yeupou@coleumes.org>

Prev by Date: Re: Full Debian install impressions and facts
Next by Date: Bug#244647: ITP: fbpager -- a pager application for the Fluxbox window manager
Previous by thread: kernel security update in stable
Next by thread: Re: kernel security update in stable
Index(es):
- Date
- Thread