Bug#469901: linux-image-2.6-486: Upgrading from sarge leaves you behind with an old, unsupported and probably soon unsecure kernel

[dann frazier <dannf@debian.org>]

On Fri, Mar 07, 2008 at 08:38:03PM +0100, Uwe Storbeck wrote:
> Package: linux-image-2.6-486
> Severity: important
> 
> I'm not sure if this is the right package to file the report against.
> But as this package probably should have been installed during the
> upgrade I chose it. Be free to reassign the report.
> 
> This system had installed an up-to-date version of sarge with
> standard kernel packages (kernel-image-2.4-k6 version 101sarge2,
> kernel-image-2.4.27-4-k6 version 2.4.27-10sarge7). I upgraded it
> to etch (aptitude update; aptitude dist-upgrade). The upgrade did
> not touch the kernel nor did it warn me that I have to upgrade the
> kernel myself.

The 2.4 kernel packages are just some of the packages that were
obsoleted between sarge and etch. Reviewing obsolete packages is a
suggested part of upgrading to a new release, and is documented in the
release notes:
 http://www.debian.org/releases/etch/i386/release-notes/ch-upgrading.en.html#s-obsolete

> So after the upgrade I end up with a system which has an (in etch)
> unsupported and unmaintained kernel which never will be updated by
> security updates and thus will be unsecure very soon. A standard
> Debian user probably will not realize this fact and will feel secure
> with his upgraded system.
>
> If you upgrade from sarge to etch also the kernel should be upgraded
> to a maintained version or at least there should be a clear warning
> that you have to upgrade the kernel yourself.

This is documented in the release notes:
  http://www.debian.org/releases/etch/i386/release-notes/ch-upgrading.en.html#s-kernel-metapackage

-- 
dann frazier