Re: debian/kernel security issues (Was: Re: Bits (Nybbles?) from the Vancouver release team meeting)
On Tue, Mar 15, 2005 at 04:21:21AM -0500, Joey Hess wrote:
> Sven Luther wrote:
> > There is this vendor-specific-security-announce-with-embargo thingy.
> >
> > The debian kernel team mostly handles the unstable and testing kernel, is not
> > in the loop for getting advance advice on those problems, so we cannot build
> > fixed versions until the vulnerability gets announced, and thus we can't
> > upload kernels in a timely fashion like ubuntu or other vendors do, who often
> > have a couple week of advance warnings. On slower arches this could be a
> > problem.
> >
> > The debian-security team is handling stable only, and there are no security
> > updates for unstable until way after the embargo is over, and for testing a
> > bit after that, depending if the kernels get hinted in or not.
> >
> > To have proper security-in-testing-or-unstable for the kernel, the
> > debian-kernel security team, or at least a few members of it, need to be made
> > aware of the embargoed security holes, and get a chance to fix them in
> > advance, maybe with a private or security non-public copy of our svn tree
> > (using svk maybe).
> >
> > This is not a ubuntu related problem though, and the help the ubuntu
> > kernel/security team has provided us was invaluable, but it should maybe not
> > be necessary if the information was not unrightfully hold from us in the first
> > time.
>
> You seem to be implying that ubuntu is providing you with confidential
> prior warning about kernel security holes, but I really doubt this,
Nope, but i was at one time hinted that i should wait a couple of days before
starting a 12 hours build.
> since many of the ubuntu secutity advisories that I've backchecked
> against the debian kernels have turned out to still be unfixed in the
> kernel teams's svn weeks later.
There is nobody actively doing debian security for unstable kernels right now,
well, not consistently, and not with the kind of advance warning that is
needed. This is rather a disapointement, i believe. But i understand that our
security team doesn't want or can care about unstable/testing security
updates.
> My experience is that the kernel security team is not very quick to fix
> publically known security holes, or to make uploads specifically for
> those holes once they have a fix. Even if we limit it to fixing the
> kernel-source packages and ignore the whole issue of rebuilding
> kernel-image packages for all arches.
No, but it is coming, and should be improved post-sarge hopefully. The
kernel-team has come a long way since Herbert abandoned it for
chinese-internal-political-differences, but there is still no real interaction
between the kernel-team and the security team.
Still, people on the vendor list or whatever have weeks advance knowledge of
those security problems.
Also, as said, post-sarge the rebuild issues will be fixed by a single kernel
package infrastructure, altough i am not sure how our auto-builders will
support that, but we will see. The sarge kernel is mostly frozen anyway so it
is out of our hands.
Friendly,
Sven Luther
Reply to: