Hi, to fix #297811, which is about adding the kernel abi version number to fai-kernels (which is only build on i386 currently, powerpc is pending) to be able to do security support for fai-kernels in sarge, I made the following changes and I would like to ask on the release managers and security teams opinion if these changes are sufficient to provide security support for fai-kernels. The included debs in the package (yes, this package includes .debs - see below for an explaination) now contain the kernel ABI version: $ dpkg -L fai-kernels # output edited to save space /usr/lib/fai/kernel/kernel-image-2.4.27-2-fai_1_i386.deb /usr/lib/fai/kernel/kernel-image-2.6.8-2-fai_1_i386.deb /usr/share/doc/fai-kernels/README /usr/share/doc/fai-kernels/README.non-i386 /usr/share/doc/fai-kernels/README.security-updates /usr/share/doc/fai-kernels/copyright /usr/share/doc/fai-kernels/config-2.6.8.gz /usr/share/doc/fai-kernels/changelog.gz /usr/share/doc/fai-kernels/config-2.4.27.gz I also introduced a new file, /usr/share/doc/fai-kernels/README.security-updates with the following content: Howto handle security fixes for fai-kernels ------------------------------------------- fai-kernels uses the kernel-source-2.4.27 and kernel-source-2.6.8 packages. If these packages get updated with a security fix, fai-kernels needs to be rebuild. The kernel-image-debs which are included in the fai-kernel package contain the kernel abi version in the included packages name. If the abi version changes, those abi version number has to be incremented in fai kernels control file as well. fai kernels control file supports different abi versions for 2.4 and 2.6. Currently the fai-kernels package is only build on i386, building it on powerpc is worked on at the moment. (BTW, note that there is no abi version in the debians powerpc kernel image packages currently.) In etch FAI should be changed to use debian standard kernels, so security updates are no issue anymore (from a fai kernel POV :) Currently this is not possible, as those kernels don't contain nfsroot support, and FAI needs it (currently - the plan is to initrd kernel for FAI as well.) -------------------------------------------------------------------------------------- I also slighty changed the package description: Description: special kernels for FAI (Fully Automatic Installation) This package contains the kernels which are used by the install clients during the fully automatic installation. Therefore this package contains .deb packages which need to be installed into the nfsroot-filesystem on the fai-server when running make-fai-nfsroot. . These kernels are only useful for the package FAI. . Currently there are only i386 kernels available, but the source package has support for powerpc, although not heavily tested. Read the FAI guide to learn how to use FAI on other architectures. --------------------------------------------------------------------------- Any suggestions welcome! I can be reached via mail or on #debian-release on OFTC (as h01ger, I will stay on OFTC until this bug is solved). If you want to examine the changes in detail, I can put them online somewhere. If you agree with these changes fixing #297811, Thomas Lange will happily upload the new version. regards & thanks for your work, Holger
Attachment:
pgprJygQooFY7.pgp
Description: PGP signature