[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Sarge Kernel Image Package Question

On Thu, 2006-06-29 at 13:02 -0500, Seth Goodman wrote:
> On Thursday, June 29, 2006 9:58 AM -0500, Ralph Katz wrote:
> > On 06/29/2006, Linas Žvirblis wrote:
> > > Why should it? Many people prefer to manually choose their
> > > kernels, as this is not something you can upgrade at any given
> > > time. It is not a problem either way - installing or removing a
> > > meta package is not that hard, is it?
> >
> > The issue is security; without the meta package, kernel updates are
> > /not/ automatic with apt-get/aptitude upgrades.  For desktop users
> > and non-developers like me who maintain our own systems, it's easy
> > to miss the fact that kernel security updates are skipped without
> > the meta package.  For this reason, I believe the current default
> > installation procedure and docs are flawed.
> I agree with Ralph: this is a packaging problem that creates a security
> problem for the less expert users.  While it is true that it's not hard
> to manually install the meta-package, here's the reason I believe it
> should be installed as the default.
> I don't think it's unreasonable criterion that someone who just wants to
> create a Debian desktop install for the stable distribution should be
> able to go through the installation procedure and wind up with a system
> where _all_ security fixes are applied through the normal update tools.
> They shouldn't _have_ to read lots of manuals, and be confused by myriad
> options they don't understand, in order to achieve that result.  They
> also should not have to go to Ubuntu, which exists at the whim of a
> single wealthy and well-intentioned individual.
> Average desktop users, OTOH, don't even know they are missing a kernel
> security upgrade unless they read the fine print in the installation
> manual (assuming we add it) or subscribe to the Debian Security list.
> While in the ideal world, all users would do both of those things, most
> average desktop users will do neither.  The punishment for that should
> not be a kernel with known security flaws.  Nor should we erect barriers
> to average users who would otherwise be satisfied with a Debian system
> in favor of an unnamed commercial one.

Whoa, am I missing a kernel security upgrade?

> Retaining the requirement to manually add the kernel meta-package, if
> you want kernel security upgrades, is not a reasonable way to go, IMHO.
> Making it part of the default install, and adding a note in the install
> manual for advanced users as to when and how to disable it, makes a lot
> more sense.  If we continue to insist on keeping things as they are, our
> place as an O/S with an 8% desktop share is quite secure.  Demanding
> that users must educate themselves might feel righteous, but it won't
> attract new users.
> Does this approach "coddle" new users?  Perhaps.  Isn't that a bad idea?
> No, because Debian is just a tool, not a way of life.  While there are
> many admirable social goals in the Debian project and the open-software
> movement, those are secondary for most users.  They decide whether or
> not to use a given piece of software because of how much it improves
> their productivity and how much trouble it is.  After using it for a
> while, _some_ of them will figure out that the reason it works as well
> as it does is because of the open-source development model, and will
> decide that's a valuable thing on it's own.  That's all we need.

It seems that to me any decent Linux distribution ought to be, by
default, reasonably secure.  Manual installation of the bare necessities
(at the least) for security should be left down the ladder at MS

So what is the "meta-package" that should be installed?  On my system,
Sarge amd64, I have installed kernel-image-2.6-amd64-k8, which depends
on the latest 2.6.8 kernel image (kernel-image-2.6.8-12-amd64-k8).  Is
this the meta-package?  [...I check the previous messages on this
thread...]  Okay, so it is.

So this isn't installed by default?  No?  Why not?!  Why else does
anyone upgrade the stable distribution than for security?  The kernel
should certainly be included in that, /by default/.

Reply to: