Re: kernel security update in stable
Mathieu Roy wrote:
> Yesterday, the package uploaded in stable with
> kernel-image-2.4.18-1-i386 as source was, unfortunately, severily
> broken (from 586tsc to 686-SMP).
I'm sorry for this mess caused by me. I've fixed it as soon as I
could (compiling takes a while for all those packages from one
So the baseline is: This problem is fixed.
> I do not know the specifics about the checks being made for security
> uploaded packages, tell me if I miss something relevant.
We do our best to test the packages. The other kernels were
test-booted by their respective port maintainers, this one wasn't,
unfortunately, so the problem wasn't recognised in time.
> I assume that a security upgrade most of the time does not include or
> remove files.
True. There are only a few exceptions.
> Wouldn't it be a good and simple idea to give a warning to
> the uploader when the build process of a security upgrade resulted in
> a notably reduced number of files included in the package?
Yes. I'll be more utilised to run debdiff before uploading.
> For the kernel, would it be feasible that before the package are made
> available to the wide public, they got installed with success on, at
> least, 2 differents machines.
Well, in general yes. The other kernels were test-booted.
The problem may be to find somebody who has (a) the correct
architecture, (b) runs the proper system on it, i.e. woody, and (c)
does not run a production system he may not take down for 10 minutes.
This caused a problem for one architecture already where the
maintainers didn't have stable on their systems anymore and the kernel
won't work with unstable.
> Opinions? Not feasible? More work than potential benefits?
Partially it is more work than benefits.
> I have to say that I got a server that will require manual
> intervention due to yesterday broken package (next time, I'll
> definitely make a dpkg --listfiles after kernel upgrade), that's a
> pain in the ass. It is not a big deal because this machine does not
> run any public service, but it's still annoying.
You can simplify this by installing debdiff and wdiff. Just for your
Life is too short to run proprietary software. -- Bdale Garbee
Please always Cc to me when replying to me on the lists.