Adrian Bunk <bunk@debian.org> writes: > On Tue, Nov 25, 2025 at 10:22:44AM +0100, Simon Josefsson wrote: >> Bastian Blank <waldi@debian.org> writes: >>... >> > Nope. Neither do we add multiple copies of the same source, nor is this >> > package security supportable by definition. >> >> I think that is a subjective statement. Debian ship the same source >> many times over already with all vendored code in the archive. Debian >> also ship packages that does not come with security support, e.g., most >> of the Rust/Go eco-systems. I hear your desire not to have more of that >> though (which I agree with). > > How big is the libre patch, and how likely is it to break due to changes > on a kernel LTS branch? > > If the patches are small and unlikely to break on an LTS branch, you > could build a different kernel based on linux-source-<version> from > src:linux. > > user-mode-linux is a precedent for that, up to buster with patches. > > user-mode-linux is already rebuilt for point releases, security support > for static ecosystems will cover such packages also for DSAs. Thanks for the pointer! I don't know the answer, but it looks worth exploring. Taking a step back, a linux-image-libre *.deb can be achieved in several ways: 1) Package using linux-libre as upstream source code. There are *.deb's for linux-libre presumably built this way. I can sympathise with trying to avoid this approach to reduce code duplication in Debian. 2) The Trisquel way that takes the Ubuntu source package, unpacks it, runs a script on the tree patching things into something that builds: https://gitlab.trisquel.org/trisquel/package-helpers/-/blob/aramo/helpers/make-linux https://gitlab.trisquel.org/trisquel/package-helpers/-/blob/aramo/helpers/make-linux-hwe-6.8 https://gitlab.trisquel.org/trisquel/package-helpers/-/blob/ecne/helpers/make-linux-hwe-6.14 This is what I've been using on my machines (amd64, arm64, ppc64el) for a couple of years now. The helper scripts have seen some modifications, but they seem to cope with Ubuntu's linux kernel changes relatively fine. The non-free stuff in the kernel are rarely touched upstream nowadays. 3) Packaging using the user-mode-linux approach, taking the Linux source code from another package, patching it from debian/rules into a linux-libre kernel, and then building and using that. 4) Something based on running linux-libre's deblob script directly: https://linux-libre.fsfla.org/pub/linux-libre/releases/6.12.59-gnu/deblob-6.12 Approach 3) is similar to 2), but not exactly. I think 2) is losely synched with 4) but the design is very different. I think the majority of the Trisquel or linux-libre deblob scripts could be turned into debian/rules commands for a 3)-like 'user-mode-linux'-but-libre solution, and I will explore that. /Simon
Attachment:
signature.asc
Description: PGP signature