Re: down to the core

To: debian-firewall@lists.debian.org
Subject: Re: down to the core
From: Daniel Pittman <daniel@rimspace.net>
Date: Sat, 24 Jul 2004 11:10:48 +1000
Message-id: <[🔎] 87ekn21a7b.fsf@enki.rimspace.net>
References: <[🔎] 1090621559.5213.3.camel@jmedina.calcom.com.mx> <[🔎] 20040723231429.81956.qmail@web11901.mail.yahoo.com>

On 24 Jul 2004, Mike Mestnik wrote:
> It's a sad day indeed when ppl equate patching with security. 

That, frankly, didn't seem like the OPs point at all. He asked if, while
he was building a custom kernel anyway, there was anything else worth
adding.

That is rather different from "I must patch to increase security".

[...]

> Just to make things clear kernel patches SHOULD be considered a security
> risk.  

...because, y'know, plugging a network cable into a machine isn't a
security risk, and trusting the Debian maintainer isn't a security
risk...

> Learn to work within what is stable and true(2.4 or better 2.2) or
> sacrifice your security for freedom you will.

That statement is rather more fear than fact, isn't it?

> 1. Debian's initrd uses the cramfs patch, not found in the pristine
> source, using these kernels may result in an undesired affect or boot
> hack.  It's true that it's relatively easy to get a prestine kernel
> booting.

So, are you saying that Debian kernels are a security risk, so should be
avoided in favor of the kernel.org kernel?

I must admit that there have been, to my knowledge, no less security
holes in the upstream kernel than the Debian tree, and they are fixed
quite promptly - often faster than a new upstream release kernel comes
out...

Certainly, it seems unfounded to state that the Debian kernels are less
well secured than the upstream kernel -- especially in view of the
development policy that has distributions like Debian responsible for
the final stabilization of the kernel code...

> 2. Using patches against the debian kernel tree is an even worse idea, you
> never know what kind of doors you will open.  It's true there are patches
> out there for the debian source trees, but these are the exception not the
> rule.

The majority of patches for the upstream tree apply to the Debian tree,
and a reasonable number are already packaged and maintained for Debian.

    Daniel
-- 
Among those whom I like, I can find no common denominator,
but among those whom I love, I can: all of them make me laugh.
        -- W.H. Auden

Reply to:

Follow-Ups:
- Re: down to the core
  - From: Sykotic <sykoticchaos@verizon.net>

References:
- Re: down to the core
  - From: Jorge Armando Medina <jmedina@calcom.com.mx>
- Re: down to the core
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: down to the core
Next by Date: Re: down to the core
Previous by thread: Re: down to the core
Next by thread: Re: down to the core
Index(es):
- Date
- Thread