[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sarge kernels and Volatile

On Tue, 2005-08-02 at 13:54 -0400, Michael Stone wrote:
> On Tue, Aug 02, 2005 at 12:07:50PM +0900, Horms wrote:
> >Thanks, I wasn't aware of that. However it seems that 
> >working with the security team on this is difficult -
> >lack of response being a primary issue.
> What response do you want? I sent a message 2 months ago asking how
> kernel updates were being coordinated and you replied that they weren't.

Are you asking me or Horms?  *I* was looking for a response from Joey
regarding my plan for updating 2.6.8.  As for the coordination of kernel
updates, we (the kernel team) were unsure of how that was being handled
until fairly recently; we've gotten conflicting answers ranging from "We
should provide kernel updates and the security team will use them
verbatim" to "Don't even bother providing an update, you're just wasting
your time".  I was hoping Joey would answer my response to let me know
if our plan was ok or not, so we could go ahead with it.  In the
meantime, Horms is keeping an updated kernel-source-2.6.8 in our SVN

> I can't speak for anyone else @security.d.o, but for myself I'm looking
> to see the debian kernel maintainers come to a conclusion. This group
> maintainer shit doesn't work if nobody actually wants to take
> responsibility for the package. Bottom line--I'm waiting for the package
> maintainer (debian-kernel) to present packages that fix the problems and
> build (and work) on all 11 archs. 

And we're waiting for a response from the security team about whether or
not we should go through the pain of presenting packages that fix the
problems and build (and work) on all 11 archs.  We need to know just how
much leeway we have with our update; can we include an ABINAME bump?
Can we include other important fixes?  Or are we restricted to a subset
of security fixes that don't break the ABI?  Will you leave it up to our
judgement as to what security fixes to include, or will you have to ok
each and every patch?  If the latter is the case, we'll have to do this
in two steps; first, getting you an updated kernel-source-2.6.8 package,
and after that's been ok'd, building packages for all 11 archs.

As for taking responsibility for the security updates, I believe Horms
is more than willing (but I'm certainly not speaking for him.  Horms?)

Reply to: