herve <herve@couvelard.com> writes:concerning the linux-headers. may i explain what happend to me. I reinstalled a debian 11.6 some months ago. and last week i had to make virtualbox functioning again. it had to "compile" some kernel modules and need some "headers". my kernel (from the install is 5.10.0-23-amd64 #1 SMP Debian 5.10.179-3 (2023-07-27) x86_64 GNU/Linux) so virtualbox need some 5.10.0-23 headers... you can find 5.10.0.20, 5.10.0.22, 5.10.0.25 in the repos from where the install came from. I had to surf the web and find a 5.10.0.23 in the web site of an university and wget it to dpkg -i it.No, you didn't. You could, and should, simply update the kernel with the latest security fixes, and then install the matching headers from the same repo.I do not know (maybe i could not even understand) the security reasons/problems of the headers versioning but it seems from my end-user point of view that, the actual situation that lend me to download from a website is the worst possible solution.Running out-of-tree kernel code means that you can't use the security card. Sorry. Bjørn
Bjørn
thank you for your answer.
I remember that linus had the aim to be the less annoying for the
user-expérience. I can understand _your_ point of view to have the
"kernel-three-code" and the "security" card things. the fact is i
didn't choose neither testing, neither sid but stable. And in my
experience upgrading kernel is not always smooth. so I used to
keep the same kernel, until it is important to change, and i have
time to do it. Not when i have to run a wm to finish a job.
It is, from my point of view a "geek" stuff to "delete" the
packages from the repos. _you_ think I _must_ upgrade my kernel.
OK. But if it was so simple their would not have theses messages
on the list. When i tried to install the headers i had no message
i should upgrade, just the packages were not existing (the same
that if there was was a typo). So i surfed the web to find it. How
could i know that i _should_ upgrade to benefit the right to get
some headers ? If i installed them in the same time as the kernel,
i would have them already : which differences in terms of security
(installed in july - installed in september) ?
I just want to point, that i didn't initiate a thread to
complain, i just share my experience on an existing thread about
headers and security. i was not shamming security or else. i was
just saying that the politic to improve security pushed me to
download from the web instead of the repos. is the solution worse
than the disease ? I use linux on the desktop for almost 25 years,
red hat, then fedora, then debian and that never happened until
last week. I was thinking that the difference between free
software and proprietary one is the possibility for free software
user to upgrade when _they_ want and not when the _supplier_
decide they should. and suppress headers is _forcing_ user to
upgrade.
So to conclude, my experience is not a way to propose or impose a solution but to point that there are sometimes between chair and screen some "normal" persons that just want things to run. If the solution proposed by virtualbox (install headers, naming them) could not function, they will install something else. And, if i find alone the solution by some little experience, lots of people won't. Of course you are right about "Running out-of-tree kernel code" but that would not help them.
Linux is not so easy, maybe it is not a good idea to had some
complications. if a kernel is so rapidly "out-of-tree" why let it
in the "stable" distribution ?
my 2 cents.
hervé
ps : i really understand your point of view, i just want to say
it is not in the 10 commandments