[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Sarge Kernel Image Package Question

On Thursday, June 29, 2006 9:58 AM -0500, Ralph Katz wrote:

> On 06/29/2006, Linas Žvirblis wrote:
> > Why should it? Many people prefer to manually choose their
> > kernels, as this is not something you can upgrade at any given
> > time. It is not a problem either way - installing or removing a
> > meta package is not that hard, is it?
> Hi Linas,
> You are correct that installing the meta package is not hard.
> The issue is security; without the meta package, kernel updates are
> /not/ automatic with apt-get/aptitude upgrades.  For desktop users
> and non-developers like me who maintain our own systems, it's easy
> to miss the fact that kernel security updates are skipped without
> the meta package.  For this reason, I believe the current default
> installation procedure and docs are flawed.
> But it seems I'm alone on this as my post to this list got no
> response last April,
> http://lists.debian.org/debian-user/2006/04/msg00547.html pasted
> below.

I agree with Ralph: this is a packaging problem that creates a security
problem for the less expert users.  While it is true that it's not hard
to manually install the meta-package, here's the reason I believe it
should be installed as the default.

Compiling a new kernel, while not all that difficult, is not something
the average desktop user typically does.  It is also not something the
average desktop user should be required to read about, or even deal with
a dialog concerning pro's and con's during an install.  This is likely
to generate more confusion and unnecessary requests for help.  Some
Debian purists may consider this an opportunity to educate new users as
to the options available, without regard to whether they want or need
such information.

I don't think it's unreasonable criterion that someone who just wants to
create a Debian desktop install for the stable distribution should be
able to go through the installation procedure and wind up with a system
where _all_ security fixes are applied through the normal update tools.
They shouldn't _have_ to read lots of manuals, and be confused by myriad
options they don't understand, in order to achieve that result.  They
also should not have to go to Ubuntu, which exists at the whim of a
single wealthy and well-intentioned individual.

Making an exception for the kernel is getting it backwards.  It's the
experienced users that compile their own kernels, or use a kernel from
other than the stable distribution, who should disable the automatic
notifications in the update tools.  In their case, even if they fail to
get rid of the meta-package, they know enough to ignore any kernel
update notifications they receive through apt-get update.

Average desktop users, OTOH, don't even know they are missing a kernel
security upgrade unless they read the fine print in the installation
manual (assuming we add it) or subscribe to the Debian Security list.
While in the ideal world, all users would do both of those things, most
average desktop users will do neither.  The punishment for that should
not be a kernel with known security flaws.  Nor should we erect barriers
to average users who would otherwise be satisfied with a Debian system
in favor of an unnamed commercial one.

Retaining the requirement to manually add the kernel meta-package, if
you want kernel security upgrades, is not a reasonable way to go, IMHO.
Making it part of the default install, and adding a note in the install
manual for advanced users as to when and how to disable it, makes a lot
more sense.  If we continue to insist on keeping things as they are, our
place as an O/S with an 8% desktop share is quite secure.  Demanding
that users must educate themselves might feel righteous, but it won't
attract new users.

Does this approach "coddle" new users?  Perhaps.  Isn't that a bad idea?
No, because Debian is just a tool, not a way of life.  While there are
many admirable social goals in the Debian project and the open-software
movement, those are secondary for most users.  They decide whether or
not to use a given piece of software because of how much it improves
their productivity and how much trouble it is.  After using it for a
while, _some_ of them will figure out that the reason it works as well
as it does is because of the open-source development model, and will
decide that's a valuable thing on it's own.  That's all we need.

Seth Goodman

Reply to: