Re: 2.6.8-16 in sarge; 2.6.8-15sarge1 for security?

To: Horms <horms@debian.org>
Cc: debian-volatile@volatile.debian.net, security@debian.org, debian-kernel@lists.debian.org, team@security.debian.org
Subject: Re: 2.6.8-16 in sarge; 2.6.8-15sarge1 for security?
From: dann frazier <dannf@hp.com>
Date: Mon, 01 Aug 2005 20:58:53 -0600
Message-id: <[🔎] 1122951534.20136.19.camel@krebs.dannf>
In-reply-to: <[🔎] 20050802033226.GD13071@verge.net.au>
References: <[🔎] 1122945986.6372.41.camel@krebs.dannf> <[🔎] 20050802033226.GD13071@verge.net.au>

On Tue, 2005-08-02 at 12:32 +0900, Horms wrote:
> On Mon, Aug 01, 2005 at 07:26:26PM -0600, dann frazier wrote:
> > hey,
> >   Sorry if this has already been discussed; but I noticed that although
> > 2.6.8-16 is the latest version of kernel-source in sarge[1],
> > 2.6.8-15sarge1 appears to be what is in the works[2] for a security
> > update.
> > 
> > All the patches referenced in -16 are already in svn for 2.6.8-15sarge1,
> > so looks like its not a regression problem.  The problems would be the
> > decreasing version string and missing 'Provides:
> > kernel-tree-2.6.8-16' (and the cosmetic issue of the missing changelog
> > snippet.)
> > 
> >   Just checking to make sure I'm not on crack; if not, I'll be happy to
> > relinearize things.
> > 
> > [1]
> > $ grep-dctrl -F Package  -s Version kernel-source-2.6.8 < Sources.sarge
> > Version: 2.6.8-16
> > [2]
> > $ svn cat svn://svn.debian.org/svn/kernel/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog | head
> 
> Ok, I think I am the cause of confusion here.

Oh, ok; I'd been working under the (bad) assumption that trunk was
security + stuff for a point release, and sarge-security was
security-only.  That answers another question I had as well...

> I prepared 2.6.8-15sarge1 and 2.6.8-16 at the same time.  Is basically
> the security fixes only version of 2.6.8-16.  The plan was to try and
> get 2.6.8-15sarge1 released as a security updated, and release of
> 2.6.8-16 into unstable, then testing, and finaly sarge r1. However it
> turned out to be easier to slip of 2.6.8-16 into sarge, and
> 2.6.8-15sarge1 was never released.  That is 2.6.8-15sarge1 is dead. It
> will move it to obsolete to avoid further confusion.
> 
> In the mean time I have been working on updates to 2.6.8-16.  These are
> in the main trunk as 2.6.8-17. These are mostly security updates.
> However the problem that the security team seems to have very little
> interest in corrseponding with the kernel team is still present, and for
> this reason I am very dubious about the possibility of making a seurity
> update. For this reason I have recently been exploring the idea of making
> updates to volitile.
> 
> Using volile seems to have to advantages 1) we can put non-security
> fixes in, like fixes for broken drivers and 2) the security
> team don't need to be involved in these updates, which I imagine
> they would be quite pleased about.

I like the idea from those perspectives; but most of our users are going
to be completely ignorant of these fixes when apt-get doesn't pull in a
new version and no DSA ever appears.  I think its *critical* that these
changes go in through the security team.

fyi, I've added team@security.debian.org to the cc list; that's their
preferred address, iirc; though its not obvious from the FAQ :)

> On a related note, I'd like to remove 2.6.8 and 2.4.27 from unstable.
> This means removing 2.4 from unstable. Let the fun begin.

yay :)

Reply to:

Follow-Ups:
- Re: 2.6.8-16 in sarge; 2.6.8-15sarge1 for security?
  - From: Horms <horms@debian.org>

References:
- 2.6.8-16 in sarge; 2.6.8-15sarge1 for security?
  - From: dann frazier <dannf@dannf.org>
- Re: 2.6.8-16 in sarge; 2.6.8-15sarge1 for security?
  - From: Horms <horms@debian.org>

Prev by Date: Re: 2.6.8-16 in sarge; 2.6.8-15sarge1 for security?
Next by Date: backporting 2.6.12.3 fixes to 2.6.8
Previous by thread: Re: 2.6.8-16 in sarge; 2.6.8-15sarge1 for security?
Next by thread: Re: 2.6.8-16 in sarge; 2.6.8-15sarge1 for security?
Index(es):
- Date
- Thread