[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kernel upgrades = security upgrades - a possible solution?

On Wed, Sep 29, 1999 at 02:42:38AM -0700, Seth R Arnold wrote:
> On Wed, Sep 29, 1999 at 10:27:43AM +0000, Marcin Owsiany wrote:
> > On Tue, Sep 28, 1999 at 09:41:26PM -0500, Ashley Clark wrote:
> > > On Tue, 28 Sep 1999, Marcin Owsiany wrote:
> > > > the way to solve the problem would be to create a package called e.g.
> > > > "secure-kernel", which would depend on the most secure "kernel-image-<ver>".
> > > > Then if the security team has newer kernel with security bugfixes, they
> > > > would make a new version of "secure-kernel" which would depend on the fixed
> > > > kernel.
> > > 
> > > I, for one, wouldn't want my kernel upgraded automatically, no matter
> > > what the fixes involved are. Here's why: I have compiled my own
> > > kernel with my hardware selected (sound, tape drive, scsi card,
> > > network card) and Debian simply can't afford to make all possible
> > > combinations of kernel configurations to provide an easy upgrade path
> > > for users. Now, possibly there could be some kind of secure-kernel
> > > package which would do nothing more than simply inform you during
> > > upgrade that a newer kernel with such-and-such security patches is
> > > available and recommend how to upgrade, that's seems more reasonable
> > > to me at least.
> > 
> > That is the point of this idea. If you want your kernel to be upgraded
> > automatically, you install secure-kernel, if you only want to be informed,
> > you install secure-kernel-info, if you don't care at all, you instal
> > neither.
> 
> I am still very leery of automatic kernel updating... I do rather like the
> idea of secure-kernel-info, as Marcin has described it, but it needs a
> better name; secure-kernel just won't do it. kernel-update-watcher perhaps.

but of course, i know the names need improving

> However, if security is enough of an issue for you that you think a kernel
> package should be made around it, maybe you should keep an eye on bugtraq
> and freshmeat, or a cron-job to grab the LATEST-VERSION-IS file from the
> kernel.org servers -- no matter which approach is taken, it will be faster
> than waiting for a new kernel package to come along...

I guess this kind of kernel packages would be for people quite concerned
about security but also quite lazy :)
Also if you administer a lot of boxes, and if they work ok with the default
kernel you will find it _a lot_ more convenient to automatically upgrade
kernel than to compile it for each box...
Just my 0.02

Marcin

-- 

---------------------------------
Marcin Owsiany
porridge@pandora.info.bielsko.pl
---------------------------------
Reply to: