Hi Holger, On Tue, Apr 05, 2005 at 12:35:44PM +0200, Holger Levsen wrote: > to fix #297811, which is about adding the kernel abi version number to > fai-kernels (which is only build on i386 currently, powerpc is pending) to be > able to do security support for fai-kernels in sarge, I made the following > changes and I would like to ask on the release managers and security teams > opinion if these changes are sufficient to provide security support for > fai-kernels. > The included debs in the package (yes, this package includes .debs - see below > for an explaination) now contain the kernel ABI version: > $ dpkg -L fai-kernels # output edited to save space > /usr/lib/fai/kernel/kernel-image-2.4.27-2-fai_1_i386.deb > /usr/lib/fai/kernel/kernel-image-2.6.8-2-fai_1_i386.deb > /usr/share/doc/fai-kernels/README > /usr/share/doc/fai-kernels/README.non-i386 > /usr/share/doc/fai-kernels/README.security-updates > /usr/share/doc/fai-kernels/copyright > /usr/share/doc/fai-kernels/config-2.6.8.gz > /usr/share/doc/fai-kernels/changelog.gz > /usr/share/doc/fai-kernels/config-2.4.27.gz To reiterate our discussion on IRC, I don't think this addresses my concerns, which are that: - Nothing in the package (binary or source) uniquely identifies the kernel-source patchlevel used (including the added ABI name, since ABI name != patchlevel) - Nothing in the source or binary package names matches the kernel.*2\.(4\.27|6\.8) regexp that I've been using so far to identify the kernel packages requiring attention I have no knowledge of how important the latter is to the security team; they may not be bothered by it as long as they're aware that this package exists which doesn't follow the usual naming convention. (which I presume that after this thread, at least one member of the security team *is* aware of this.) Cheers, -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature