[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firmware-nonfree update for buster?

Hi Lynoure, all

Lynoure, thank you for your help. I have got the answers I need. Much appreciated!

Moritz, Lyonoure, for the future, is there any way I could have improved the questions in my initial email? I have re-read the CVEs quite a bit now and I do not see how I could have formulated myself much differently.
To my knowledge there is no information in the security tracker whether there are plans to update the package or not and whether you would object to an upload. Just because it is marked as no-dsa does not mean that the package maintainer does not plan to do an update. All it means is that the security team will not take any further actions. There are plenty of cases when the maintainer does an update even if the security team has marked the CVE as no-dsa.

The reason I sent this email was to make sure the LTS team does not do anything that you do not want us to do.

In any case, thank you for your help. Now I know that there are no such plans and you would not object to the LTS team doing an update on stable/buster. This was exactly what I wanted to know.

Best regards

// Ola

On Wed, 19 May 2021 at 17:03, Lynoure Braakman <lynoure@lynoure.net> wrote:
On 19/05/2021 09:38, Moritz Muehlenhoff wrote:
> Ola Lundqvist wrote:
>> I only briefly looked at the CVEs.
>
> If you haven't even looked the issues properly don't waste other people's time.

Seems things got a bit prickly here, so I'm seeing if I can do some
coordinating to make things a bit smoother.

I believe that everyone involved, both you and Ola, had good motivations
behind their words.


I'm seeing the notes in the context of it being marked vulnerable (no
DSA) on buster:

[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
Short of details:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
Per Intel, this was fixed by a firmware update. v49.0.1 of the
firmware is required. The new firmware requires a kernel patch
https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26
Firmware was added via
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=c487f7dadcd21116613441ed355b764003b3f57b


Based on that, here are my takes Ola's questions might be:
1) Too invasive for this issue, but it's nice give people enough
information to deal with this themselves
2) Not really
3) The treatment of this issue on buster and stretch would be best to be
kept consistent unless there are pressing reasons to do otherwise


Moritz, is that compatible to your take on this?
Ola, does this help you on this topic?


--
Lynoure Braakman







--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to: