Bug#550379: closed by Bastian Blank <waldi@debian.org> (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 550379@bugs.debian.org
Subject: Bug#550379: closed by Bastian Blank <waldi@debian.org> (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)
From: Bastian Blank <waldi@debian.org>
Date: Sat, 10 Oct 2009 03:03:06 +0200
Message-id: <[🔎] 20091010010306.GA20737@wavehammer.waldi.eu.org>
Reply-to: Bastian Blank <waldi@debian.org>, 550379@bugs.debian.org
In-reply-to: <[🔎] 20091009174913.e0a6da88.michael.s.gilbert@gmail.com>
References: <20091009210007.GA15247@wavehammer.waldi.eu.org> <[🔎] 20091009140420.6f5606da.michael.s.gilbert@gmail.com> <handler.550379.D550379.125512197711920.notifdone@bugs.debian.org> <[🔎] 20091009174913.e0a6da88.michael.s.gilbert@gmail.com>

On Fri, Oct 09, 2009 at 05:49:13PM -0400, Michael Gilbert wrote:
> > On Fri, Oct 09, 2009 at 02:04:20PM -0400, Michael Gilbert wrote:
> >> the linux-kbuild-2.6 source package includes portions of code from the
> >> linux-2.6 source package (i.e. everything in ./kbuild/*).  this is bad
> >> in terms of security support because it causes more work for the
> >> security team and increases the risk of errors, omissions, and mistakes.
> > No, it does not. It is a different source package and both are derived
> > from the same upstream code. 
> two different source packages with portions being the same code are
> considered a case of an embedded code copy; which is generally
> considered bad practice from a security perspective.

Well, please start with every source using autoconf then. autoconf
embeds copies of a large amount of source code snippets in the targets.
This have about the same practical relevance and use then the code we
are talking about.

> >> less significant, but also important, is that since the kbuild package
> >> is separated from the linux package, the kbuild packages always lag by
> >> weeks or months after a new kernel release; making it impossible to
> >> build modules for that new kernel.
> >> the recommended course of action is to update the linux-2.6 source
> >> package to also build the kbuild binaries.  thanks.
> > This is not possible for other reasons.
> what are these reasons, and why do they seem so insurmountable?

They are backed by §4 Social Contract. To be exact, it is part of the
cross-compile support in the linux packages. And yes, this is heavily
used.

Bastian

-- 
Vulcans worship peace above all.
		-- McCoy, "Return to Tomorrow", stardate 4768.3

Reply to:

Follow-Ups:
- Bug#550379: closed by Bastian Blank <waldi@debian.org> (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>

References:
- Bug#550379: linux-kbulid-2.6: embeds linux-2.6
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Bug#550379: closed by Bastian Blank <waldi@debian.org> (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Bug#508866: linux-image-2.6.26-1-amd64: NFS going stale for stat() for renamed files like .Xauthority
Next by Date: Processed: tagging 508866
Previous by thread: Bug#550379: closed by Bastian Blank <waldi@debian.org> (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)
Next by thread: Bug#550379: closed by Bastian Blank <waldi@debian.org> (Re: Bug#550379: linux-kbulid-2.6: embeds linux-2.6)
Index(es):
- Date
- Thread