Re: Security Supporting Debian Kernels in Sarge
Martin Schulze wrote:
> We need to improve our kernel maintenance or it will be impossible to
> support the Linux kernel security-wise in the future. We = Security
> Team at the moment.
> Some of you may have noticed that I'm struggling again (or rather
> still) with kernel updates for woody. Even though this update went a
> lot better than the last one, it is still not yet finished for all
> In woody there are currently:
> 8 "native" kernel source packages (4x 2.2 and 4x 2.4)
> 28 kernel image/patch source packages
> 3 kernel image source packages including the full source
> Just to give you an impression of the sheer amount of source packages
> that need to be taken care of for a security update in the Linux
> kernel, here's a list of the packages I know of and I am working
> KV kernel-source 2.2.10
> KV kernel-source 2.2.19
> KV kernel-source 2.2.20
> KV kernel-source 2.2.22
> KV kernel-source 2.4.16
> KV kernel-source 2.4.17
> KV kernel-source 2.4.18
> KV kernel-source 2.4.19
> Source: kernel-image-2.2.22-alpha
> Source: kernel-image-2.4.18-alpha
> Source: kernel-image-2.2.19-netwinder
> Source: kernel-image-2.2.19-riscpc
> Source: kernel-image-2.4.16-lart
> Source: kernel-image-2.4.16-netwinder
> Source: kernel-image-2.4.16-riscpc
> Source: kernel-patch-2.4.16-arm
> Source: kernel-image-2.4.17-hppa
> Source: kernel-image-2.4.18-hppa
> Source: kernel-image-2.2.20-i386
> Source: kernel-image-2.2.20-reiserfs-i386
> Source: kernel-image-2.4.18-i386
> Source: kernel-image-2.4.18-i386bf
> Source: kernel-image-2.4.17-ia64
> Source: kernel-image-2.2.20-amiga
> Source: kernel-image-2.2.20-atari
> Source: kernel-image-2.2.20-bvme6000
> Source: kernel-image-2.2.20-mac
> Source: kernel-image-2.2.20-mvme147
> Source: kernel-image-2.2.20-mvme16x
> Source: kernel-patch-2.4.17-mips
> Source: kernel-patch-2.4.19-mips
> Source: kernel-image-2.2.10-powerpc-apus
> Source: kernel-image-2.2.20-powerpc
> Source: kernel-patch-2.4.17-apus
> Source: kernel-patch-2.4.18-powerpc
> Source: kernel-image-2.4.17-s390
> Source: kernel-patch-2.4.17-s390
> Source: kernel-image-sparc-2.2
> Source: kernel-image-sparc-2.4
> To make it worse the source packages went rather out of sync with
> regards to security related updates. For the most important ones,
> they are in sync again, but it's a pita to maintain.
> It was even worse than this since several kernel packages did not even
> built anymore on woody, for various reasons. For some the respective
> kernel-source package was removed, for others the code wasn't
> compatible with the compiler anymore. Don't ask me why.
> I'm still not done with the CAN-2004-0077 (mremap) update and still
> working on the CAN-2004-0109 (iso9660) update.
> However, after fighting for months on an update for CAN-2004-0077 for
> all architectures and all kernels, it was a lot easier to provide
> updates for the CAN-2004-0109 vulnerability.
> In order to be able to provide security updates for the kernel in
> sarge certain rules need to apply. Otherwise we will not be able to
> provide updates properly. We've already done a rather poor job in the
> past, and the situation in sarge/sid is not looking promising.
> 1. The number of different kernel versions must not increase!
> 2. It is insane to expect us to support three main kernel lines
> (2.2, 2.4 *and* 2.6).
The main problem here appears to be the arch which still isn't supported by
2.4 or 2.6, namely m68k. 2.2 is pretty dead development-wise anyway and is
likely to security holes which were fixed incidentally during 2.4
I see only one way to deal with that: drop security support for m68k. :-P
> At the moment we have 10 kernel source packages in sarge, which is
> already two more than in woody, and at lest one source package is
> missing (leading to an FTBFS for at least one kernel image package).
> This is too much!
> kernel-source-2.2.25 testing 2.2.25-3 all source
> kernel-source-2.4.19 testing 2.4.19-11 all source
> kernel-source-2.4.20 testing 2.4.20-14 all source
> kernel-source-2.4.21 testing 2.4.21-8 all source
> kernel-source-2.4.22 testing 2.4.22-7 all source
> kernel-source-2.4.24 testing 2.4.24-3 all source
Bleah! Who isn't using 2.4.25? Fess up! If there are known
problems with 2.4.25 on your subarch or variant, fix them!
> kernel-source-2.4.25 testing 2.4.25-1 all source
> kernel-source-2.6.3 testing 2.6.3-2 all source
> kernel-source-2.6.4 testing 2.6.4-1 all source
> kernel-source-2.6.5 testing 2.6.5-1 all source
I really don't see why we need all of these. Can't we just stick with they
newest 2.6 and leave out the previous point releases? 2.6 point releases
seem to have been pretty good about not breaking anything. Why not, for
that matter, just have a kernel-source-2.6 package?
> There are also 31 kernel-image packages for various architectures and
> versions. This is too much!
> kernel-image-2.2.10-powerpc-apus testing 2.2.10-13 source
This should be removed entirely; it's replaced by something newer.
> kernel-image-2.2.25-amiga testing 2.2.25-4 source
> kernel-image-2.2.25-atari testing 2.2.25-4 source
> kernel-image-2.2.25-bvme6000 testing 2.2.25-4 source
> kernel-image-2.2.25-mac testing 2.2.25-4 source
> kernel-image-2.2.25-mvme147 testing 2.2.25-4 source
> kernel-image-2.2.25-mvme16x testing 2.2.25-4 source
<snip lots of 2.4.x>
All this 2.4.x stuff should be removed in favor of 2.4.25 versions.
> kernel-image-2.4.25-alpha testing 2.4.25-1 source
> kernel-image-2.4.25-amiga testing 2.4.25-1 source
> kernel-image-2.4.25-arm testing 2.4.25-3 source
> kernel-image-2.4.25-atari testing 2.4.25-1 source
> kernel-image-2.4.25-bvme6000 testing 2.4.25-1 source
> kernel-image-2.4.25-hppa testing 2.4.25-2 source
> kernel-image-2.4.25-i386 testing 2.4.25-1 source
> kernel-image-2.4.25-ia64 testing 2.4.25-4 source
> kernel-image-2.4.25-mac testing 2.4.25-1 source
> kernel-image-2.4.25-mvme147 testing 2.4.25-1 source
> kernel-image-2.4.25-mvme16x testing 2.4.25-1 source
<snip 2.6.3, 2.6.4>
Why not 2.6.5?
> kernel-image-sparc-2.2 testing 9 source
Which sparc subarch really needs this?
> kernel-image-sparc-2.4 testing 35 source
> kernel-image-speakup-i386 testing 2.4.24-1 source
This should be switched to use 2.4.25.
> I haven't checked whether build dependencies are still fulfilled but
> looking at kernel-image-2.2.10-powerpc-apus and
> kernel-image-2.4.17-s390 I have some doubts they are.
> There are also 62 kernel-patch packages of which at least the
> following 17 seem to produce kernel-image packages:
<snip more 2.4.x>
These should all be removed in favor of 2.4.25. If there are known
problems with 2.4.25 on your arch or subarch, fix them. (mips?)
> kernel-patch-2.4.25-apus testing 2.4.25-2 source
> kernel-patch-2.4.25-arm testing 20040316 source
> kernel-patch-2.4.25-hppa testing 2.4.25-pa1 source
> kernel-patch-2.4.25-ia64 testing 2.4.25-2 source
> kernel-patch-2.4.25-m68k testing 2.4.25-1 source
> kernel-patch-2.4.25-powerpc testing 2.4.25-4 source
> kernel-patch-2.4.25-s390 testing 2.4.25-1 source
> kernel-patch-2.6.3-ia64 testing 2.6.3-2 source
> kernel-patch-2.6.4-ia64 testing 2.6.4-1 source
> This makes it 10 kernel source packages, with at least two missing and
> 48 kernel image/patch packages that need to be taken care of in case
> of a security update.
There are none so blind as those who will not see.