Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?

To: debian-user@lists.debian.org
Subject: Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
From: Marcus Blumhagen <marcus.blumhagen@web.de>
Date: Fri, 17 Aug 2007 12:49:19 +0200
Message-id: <[🔎] E1ILzOK-0006FK-00@smtp08.web.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20070817071914.GA4090@wasteland.homelinux.net>
References: <[🔎] E1ILuAx-00073p-00@smtp06.web.de> <[🔎] 20070817071914.GA4090@wasteland.homelinux.net>

-- Please CC me, when replying, since I'm not subscribed to the list.

On Fri, Aug 17, 2007 at 09:19:14AM +0200, Jochen Schulz wrote:
> I cannot confirm this with up-to-date package descriptions from
> ftp2.de.debian.org. I didn't check all of the packages, but at least
> linux-image-2.6-k7 (what you are using) and linux-image-2.6-686 (what I
> am using) actually do depend on their related  linux-image-2.6.18-5-*
> package.

Ahh, OK, now i get it. Actually I only had security.debian.org in my
sources.list besides the DVD set. I thought that would suffice to keep
up-to-date regarding automatic security updates, but in this case it
didn't.

Looking at the changelog of linux-image-2.6-k7 [1], I read:

	 linux-latest-2.6  (6etch1) stable; urgency=high

	    * Update to 2.6.18-5.

		 -- dann frazier <dannf@debian.org>  Thu, 24 May 2007 17:05:09 -0600 

Uh, back in May already. But it also reads "stable; urgency=high"
wheras the package it depends on now must read "stable-security;
urgency=high". Actually there is no changelog available for the latest
linux-image-2.6.18-5-k7 (2.6.18.dfsg.1-13etch1) yet. At the time of
writing the latest changelog entry is for 2.6.18.dfsg.1-13 from Mon, 21
May 2007 14:45:13 -0600.

This leads me to one question. Shouldn't linux-image-2.6-* be
distributed via security.debian.org too? Or in other words, shouldn't
they just be assigned to stable-security instead of just stable? They
only exist to depend on the real kernel package and therefor provide
them as well. Maybe it could be done by just releasing an otherwise
identical version but an adjusted verion number in stable-security.
That way one, who has only security.debian.org in his sources.list and
no other online repositories, would still be able to get the update
automatically.

OK, I see that my case described in the OP might be a little bit
special, but I also think releasing an otherwise unchanged package
apart from the version number and the assignment to stable-security
instead of stable, is not that big an effort for a gain in
consistency. I am not familiar with maintaining packages, so if I am
underestimating I stand corrected.

Thanks for your time and effort!

[1] http://packages.debian.org/changelogs/pool/main/l/linux-latest-2.6/linux-latest-2.6_6etch1/changelog

Kind regards
-- 
Marcus Blumhagen

"Any intelligent fool can make things bigger, more complex, and more
violent. It takes a touch of genius -- and a lot of courage -- to move
in the opposite direction."
                                                      -- Albert Einstein

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- All linux-image-2.6-* packages in Etch/4.0 vulnurable?
  - From: Marcus Blumhagen <marcus.blumhagen@web.de>
- Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
  - From: Jochen Schulz <ml@well-adjusted.de>

Prev by Date: videos (Divx and MPEG-2) with nVidia GeForce8600 without nvidia non-free drivers
Next by Date: Re: AIDE reports files as changed
Previous by thread: Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
Next by thread: preseed with software raid and lvm
Index(es):
- Date
- Thread