On Wed, Apr 19, 2006 at 03:56:41PM -0600, Michael Loftis wrote: > Increasingly 2.6 is unsuitable for production use due to its huge amount of > change and lack of stable tree. There was a decision to do away with the > old split development/odd numbered development model sometime after about > 2.6.11 so all hope of a stable 2.6 series is gone. Speaking as the admin of a large (several hundred hosts) Debian installation, I agree. Hopefully something will come of http://kerneltrap.org/node/6386 Speaking as a Security Team secretary, you should not treat all kernel CVEs as equal. Many of them are low priority information leaks, hard to exploit DoS attacks, or only effect obscure hardware. Many of them affect only a very few users or are only exploitable in theory. None of them are being widely exploited. Rest assured that, if a remote root exploit is discovered in the kernel tomorrow, we'll have a fix out promptly. I don't mean for the above to be interpreted as though the Debian security team does not take kernel security seriously. That's quite the opposite. However, releasing a new kernel update for every CVE that comes out is really not in anybody's interest. noah
Attachment:
signature.asc
Description: Digital signature