Re: Security Updates and kernel-tree fun
On Tue, 2005-08-09 at 14:04 +0900, Horms wrote:
> Referring to
> (thanks dannf) I notice that the following kernel-tree versions
> are in use in Sarge:
> 2.4.27-10: alpha, i386, ia64, powerpc (latest)
> 2.4.27-9: powerpc
> 2.4.27-8: s390
> 2.4.27-5: apus (so old its scary)
> 2.6.8-16: alpha, i386, ia64, m68k (latest)
> 2.6.8-15: sparc
> 2.6.8-13: hppa, powerpc, s390
> Now as I understand, security updates can only include security fixes.
> Examining 2.6.8, in the case of arches that use 2.6.8-16, this
> is easy enough, just add security fixes, make that 2.6.8-16sarge1,
> and be done with it. Same for sarge2 and so on and so forth.
I'd like to get an actual "NO" from the security team before giving up
on sharing a single source tree. This would save us from adding
complexity in the build system, which presents its own set of risks. If
that sounds ok to Horms and the security team, maybe we could start by
creating a report of some kind explaining what non-security patches are
going in, and how the affect various architectures?
For example, a table of patches versus kernel-image packages, populated
with symbols noting whether or not the patch is already in sarge or if
its new, whether the changed code is actually built on that arch, etc.
Of course, that assumes the security team would consider this sync; if
not, this is a non-starter. Security Team: what say you?