On Sat, 2011-02-19 at 14:04 -0500, Michael Gilbert wrote: > On Sat, 19 Feb 2011 18:48:40 +0000 Ben Hutchings wrote: > > > On Sat, 2011-02-19 at 13:12 -0500, Michael Gilbert wrote: [...] > > > 2. Improve testing security by reducing the amount of vulnerabilities > > > existent in older kernels (roughly 67% fewer in 2.6.32 vs 2.6.37 as > > > described previously) > > > > Huh? I don't see any source for this figure. > > http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000193.html > http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000194.html I read those and I can't see any source for comparison between 2.6.32 and 2.6.37. In fact you say that 'squeeze (2.6.32) was vulnerable to 98% (51 out of 52)' which implies only 2% fewer vulnerabilities. > > [...] > > > > (which is also important for new hardware support). > > > > > > This seems to be a meme that continues to persist without much in the > > > way of evidence. It certainly may have been true in the past, but I > > > think things have changed for the better with the advent of stable > > > upstream support (i.e. support for new hardware is backported to the > > > stable kernels). > > > > > > Also, I've read about 10 reviews of squeeze, and none of them have > > > indicated any problems with hardware support (except for missing > > > support for non-free firmware) even though that uses a kernel initially > > > released almost a year and a half ago. > > [...] > > > > I can assure you there is already a substantial backlog of new hardware > > that is currently unsupported in squeeze. For example, any current ATI > > graphics chip. And this is at the start of squeeze's lifetime, not the > > end. > > I've been using ati cards exclusively for some time now; although I've > also been willing to install the fglrx driver for full support ;) Then I really can't take your concern for security seriously. The changelog for fglrx-source has no mention of security fixes, and I don't for one moment believe there are no vulnerabilities in it. > Also, the xorg vesa driver does work. Seems like a waste of money to buy an ATI card and then use it as a dumb framebuffer. > Again, if the user is interested in such new developments, they will > need to be willing to learn how to run an unstable system. I thought that users interested in new stuff were supposed to run CUT. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
Attachment:
signature.asc
Description: This is a digitally signed message part