Re: Dropping the ntfs kernel module
Hi Stable release managers,
On Thu, Apr 25, 2019 at 03:27:21PM +0100, Ben Hutchings wrote:
> Linux's ntfs kernel module, supporting Windows's native filesystem, has
> three security issues open against it (CVE-2018-12929, CVE-2018-12930,
> CVE-2018-12931) and there is no sign of progress towards fixing them
> upstream.
>
> This module is limited to read-only functionality by default; its write
> support only covers overwriting existing files and has been disabled in
> Debian kernel configurations since stretch. The alternative FUSE-based
> implementation, ntfs-3g, is far more functional, though it may have
> lower performance. It is already used in the installer and included in
> all the desktop tasks (unless installation of Recommends is disabled).
>
> I intend to disable building this module in the next upload to sid,
> targetting buster.
>
> I think we should also disable building it in updates to jessie and
> stretch, but would like to get an OK from the Stable Release Managers
> before doing that.
Any opinion on your side on disabling building the ntfs kernel module
for stretch?
Regards,
Salvatore
Reply to: