[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Dropping the ntfs kernel module

Linux's ntfs kernel module, supporting Windows's native filesystem, has
three security issues open against it (CVE-2018-12929, CVE-2018-12930,
CVE-2018-12931) and there is no sign of progress towards fixing them

This module is limited to read-only functionality by default; its write
support only covers overwriting existing files and has been disabled in
Debian kernel configurations since stretch.  The alternative FUSE-based 
implementation, ntfs-3g, is far more functional, though it may have
lower performance.  It is already used in the installer and included in
all the desktop tasks (unless installation of Recommends is disabled).

I intend to disable building this module in the next upload to sid,
targetting buster.

I think we should also disable building it in updates to jessie and
stretch, but would like to get an OK from the Stable Release Managers
before doing that.


Ben Hutchings
Horngren's Observation:
              Among economists, the real world is often a special case.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: