[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [cut-team] For discussion: security support strategy for the wheezy kernel

On Sat, 19 Feb 2011 19:32:08 +0000 Ben Hutchings wrote:

> On Sat, 2011-02-19 at 14:04 -0500, Michael Gilbert wrote:
> > On Sat, 19 Feb 2011 18:48:40 +0000 Ben Hutchings wrote:
> > 
> > > On Sat, 2011-02-19 at 13:12 -0500, Michael Gilbert wrote:
> [...]
> > > > 2. Improve testing security by reducing the amount of vulnerabilities
> > > > existent in older kernels (roughly 67% fewer in 2.6.32 vs 2.6.37 as
> > > > described previously)
> > > 
> > > Huh?  I don't see any source for this figure.
> > 
> > http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000193.html
> > http://lists.alioth.debian.org/pipermail/cut-team/2011-February/000194.html
> 
> I read those and I can't see any source for comparison between 2.6.32
> and 2.6.37.  In fact you say that 'squeeze (2.6.32) was vulnerable to
> 98% (51 out of 52)' which implies only 2% fewer vulnerabilities.

I suppose the way I said that is confusing.  That research was from
past results, and my latest statement is a projection based on the
past.  In other words, if lenny was vulnerable to 67% of the issues that
squeeze was, I'm projecting that it will be similar for squeeze: it
will be vulnerable to about 67% of the issues that wheezy will;
although that could be +-10%, +-20%, who knows since events have yet
to happen.

> > I've been using ati cards exclusively for some time now; although I've
> > also been willing to install the fglrx driver for full support ;)
> 
> Then I really can't take your concern for security seriously.  The
> changelog for fglrx-source has no mention of security fixes, and I don't
> for one moment believe there are no vulnerabilities in it.

Well, that's a risk I'm willing to accept for myself.  Others may have a
differing perspective, and that's fine. My risk mitigation strategy
should have nothing to do with the rest of the project's.

> > Also, the xorg vesa driver does work.
> 
> Seems like a waste of money to buy an ATI card and then use it as a dumb
> framebuffer.

Not all ati cards are top of the line, and not all users need 3D anyway.

> > Again, if the user is interested in such new developments, they will
> > need to be willing to learn how to run an unstable system.
> 
> I thought that users interested in new stuff were supposed to run CUT.

Most packages will in fact be new, just the kernel and reverse
dependencies will be held back.  Hence CUT users will get 99% new
stuff (with respect to stable), and a tiny bit held back simply for
stability. Like I've said a couple times now, its a balancing act.

All I'm asking for is a few month long experiment.  And if the
experiment shows signs of flaws/weaknesses, then the blocker can
certainly be lifted.

Best wishes,
Mike
Reply to: