Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
On Fri, Dec 12, 2008 at 11:37:35AM -0700, dann frazier wrote:
> On Fri, Dec 12, 2008 at 08:53:43AM +0000, Marcin Owsiany wrote:
> > On Thu, Dec 11, 2008 at 12:11:05PM -0700, dann frazier wrote:
> > > On Thu, Dec 11, 2008 at 06:49:59PM +0000, Dominic Hargreaves wrote:
> > > > On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote:
> > > > > Yes - 2.6.18 is in stable, and as such will be security supported for
> > > > > at least another year. Minor/local DoS security issues in the kernel
> > > > > are very frequent, so updated packages are constantly in
> > > > > preparation. Preparing kernel updates is resource intensive so, unless
> > > > > there's a severe issue, etch users should expect 2.6.18 and 2.6.24
> > > > > updates to be staggered.
> > > >
> > > > Yup, that's pretty much what I expected to hear; thanks for confirming.
> > > >
> > > > May I make a suggestion that you include a comment along these lines in
> > > > the advisory texts? It would help reassure users that things haven't been
> > > > forgotten about greatly.
> > >
> > > Yes, this has been a FAQ since the release of etchnhalf. I'll see
> > > about adding something to the text template. Does this look ok?
> > >
> > > Debian 'etch' includes linux kernel packages based upon both the
> > > 2.6.18 and 2.6.24 linux releases. All known security issues are
> > > carefully tracked against both packages and both packages will
> > > receive security updates until security support for Debian 'etch'
> > > ceases. However, given the high frequency at which low-severity
> > > security issues are discovered in the kernel and the resource
> > > requirements of doing an update, non-critical 2.6.18 and 2.6.24
> > > updates will typically release in a staggered or "leap-frog"
> > > fashion.
> >
> > I'd suggest you add something more explicit, maybe:
> >
> > [fashion], that is when higher-severity issues are fixed.
> >
> > or something similar.
>
> Well, I don't think that's what I mean. High-severity fixes will
> release as soon as possible - likely simultaneously.
Well, that is what I meant as well, but my English is apparently not
good enough to express it. I think there is a single fact that the
reader should get from this:
Low severity fixes often wait until there is a need for a high-severity fix.
Does that sound better?
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Reply to: