[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: kernel security update in stable

Mathieu Roy wrote:
> Yesterday, the package uploaded in stable with
> kernel-image-2.4.18-1-i386 as source was, unfortunately, severily
> broken (from 586tsc to 686-SMP). 

I'm sorry for this mess caused by me.  I've fixed it as soon as I
could (compiling takes a while for all those packages from one

So the baseline is: This problem is fixed.

> I do not know the specifics about the checks being made for security
> uploaded packages, tell me if I miss something relevant.

We do our best to test the packages.  The other kernels were
test-booted by their respective port maintainers, this one wasn't,
unfortunately, so the problem wasn't recognised in time.

> I assume that a security upgrade most of the time does not include or
> remove files.  

True.  There are only a few exceptions.

> Wouldn't it be a good and simple idea to give a warning to
> the uploader when the build process of a security upgrade resulted in
> a notably reduced number of files included in the package?  

Yes.  I'll be more utilised to run debdiff before uploading.

> For the kernel, would it be feasible that before the package are made
> available to the wide public, they got installed with success on, at
> least, 2 differents machines.

Well, in general yes.  The other kernels were test-booted.

The problem may be to find somebody who has (a) the correct
architecture, (b) runs the proper system on it, i.e. woody, and (c)
does not run a production system he may not take down for 10 minutes.
This caused a problem for one architecture already where the
maintainers didn't have stable on their systems anymore and the kernel
won't work with unstable.

> Opinions? Not feasible? More work than potential benefits?

Partially it is more work than benefits.

> I have to say that I got a server that will require manual
> intervention due to yesterday broken package (next time, I'll
> definitely make a dpkg --listfiles after kernel upgrade), that's a
> pain in the ass. It is not a big deal because this machine does not
> run any public service, but it's still annoying. 

You can simplify this by installing debdiff and wdiff.  Just for your



Life is too short to run proprietary software.  -- Bdale Garbee

Please always Cc to me when replying to me on the lists.

Reply to: